2 Replies Latest reply on Nov 20, 2013 3:56 AM by rohanparath

    Windows and Linux agent troubleshooting

    rohanparath

      Hi All,

       

       

      I have configured a Windows agent to collect Windows logs from the same local system and have also setup the agent to collect application logs from the same server. I see Windows logs getting parsed and coming into the ESM without any issues, however the application log does not seem to be working. When checking the debug.log file for the agent, I see the below message

       

      <135>1 Oct 25 05:20:42 1234 McAfeeEventCollector: DEBUG 2 DoWork Worker[5540:100] processing plugin[2]

      <134>1 Oct 25 05:20:42 1234 McAfeeEventCollector: INFO 2 Start Plugin started

      <135>1 Oct 25 05:20:42 1234 McAfeeEventCollector: DEBUG 2 GetConnection Activating connection: 1

      <135>1 Oct 25 05:20:42 1234 McAfeeEventCollector: DEBUG 2 GetConnection Active: 1

      <135>1 Oct 25 05:20:42 1234 McAfeeEventCollector: DEBUG 2 Begin connection: 1

      <135>1 Oct 25 05:20:42 1234 McAfeeEventCollector: DEBUG 2 Start No data to process, sleeping for 300 seconds; Pausing plugin.

      <135>1 Oct 25 05:20:42 1234 McAfeeEventCollector: DEBUG 2 End connection: 1

      <135>1 Oct 25 05:20:42 1234 McAfeeEventCollector: DEBUG 2 ReleaseConnection Releasing connection: 1

      <135>1 Oct 25 05:20:42 1234 McAfeeEventCollector: DEBUG 2 ReleaseConnection Active: 0

      <134>1 Oct 25 05:20:42 1234 McAfeeEventCollector: INFO 2 _pausePlugin Plugin pausing

      <134>1 Oct 25 05:20:42 1234 McAfeeEventCollector: INFO 2 _pausePlugin Plugin paused

       

      So it looks like the agent does not see any data to process. Please find below the screen shot of the configuration of the Windows agent

       

      Window Agent.jpg

       

      Similiarly I have configured a Linux agent to read application logs from a log file, there as well I encounter the same issue, looks like I have not configured the agent correctly. Can you please have a look at the configuration and let me know where I am going wrong.

       

      The configuration for the linux agent is as below,

       

      ##############

      # Collector

      ##############

      bookmark_dir=/var/lib/mcafee/bookmark

      debug_level=info

      log_path=/var/log/mcafee/event_collector.log

      sleep=5

      inactive_sleep=300

       

       

      ##############

      #       Receiver

      ##############

      rec_ip=10.0.0.20

      rec_port=8081

      rec_encrypt=1

       

       

      ##############

      #       Plugin

      ##############

      type=filetail

      hostid=

      ft_dir=/opt/APP_HOME_DIR/log

      ft_filter=server.log

      ft_delim=<newline>

      ft_delim_end_of_event=1

      ft_start_top=1

       

      ================================================================================ ==============

       

      I have configured the data sources on the ESM and have the parsers also assosiated to the data sources for the application logs. One question I had is when collecting application logs what would be the data source vendor for the data source, I have chosen McAfee. Please let me know if this is right.

      Data Source.jpg

      Thanks for you help

       

      Rohan