0 Replies Latest reply on Oct 20, 2013 7:30 PM by malware-alerts

    CSR 2.0 - ERROR Failed to create Buffer Reader

    malware-alerts

      The Environment:

      • Content Security Reporter 2.0
        • Internal MySQL DB.
      • Feeding CSR with syslogs (CSR format) from eight (8) MEG 7.5 appliances.

       

      The symptoms:

      • "No Data" displayed in CSR queries within ePO
      • CSR's SERVER_ERR.LOG contains many of the following lines:
        • ERROR [com.mcafee.mesa.logparsing.communication.buffer.LogLineBuffer] Failed to create Buffer Reader.: java.io.FileNotFoundException: X:\Program Files\McAfee\Content Security Reporter\reporter\jboss\bin\..\..\tmp\logparsing\buffered\logsource-10\xxx.xx.x x.MEG.CEF.v0.20130910T131409.903Z.3126433191897572831.log (The system cannot find the file specified)
      • Orphaned .INFO file in  \Program Files\McAfee\Content Security Reporter\reporter\tmp\logparsing\buffered\logsource-xx
        • Each .INFO file should have an equivalent .LOG file in the same folder (same name)
      • Many unprocessed .LOG and .INFO files in \Program Files\McAfee\Content Security Reporter\reporter\tmp\logparsing\buffered\logsource-xx

       

      The solution:

      • Open the file logsource-xx.INDEX in \Program Files\McAfee\Content Security Reporter\reporter\tmp\logparsing\buffered\logsource-xx
        • Change the file name (without the extension!) between the following XML tags <currentLogFileBaseName></currentLogFileBaseName> to the name of the next oldest .LOG file in the folder
          • Change the line number between the XML tags <lastReadLineNumber></lastReadLineNumber> to 0
      • Delete the orphaned .INFO file (there should only be 1 without an equivalent .LOG file.)
      • Restart the "McAfee Content Security Reporter Server" service
        • Monitor the \Program Files\McAfee\Content Security Reporter\reporter\tmp\logparsing\buffered\logsource-xx folder and make sure unprocessed files dissapear from the folder

       

      My Question:

      • I've had this happen 7-8 times since we started using CSR with MEG7.5 feeding syslogs (2 months ago).
      • It happens to different logsource
      • All orphaned .INFO files are last modified at 12:00am (midnight).


      • Could this be caused by the DB maintenance task that is set to run at 12:00am by default? (12:00am is also the time .LOG files from the different logsources get rotated).