2 Replies Latest reply on Aug 14, 2014 8:44 AM by alexander_h

    Process syslogcollector is not running.

    mgamarra

      Hi.

       

      I have an issue with the SIEM (v9.3.1), since wednesday I'm not receiving any event from my data sources.

       

      I checked the ESM logs, and I saw a "Syslog collector state change alert. Process syslogcollector is not running" event.

       

      Since I saw that event in the ESM logs, i'm not receiving any events from any of my data sources.

       

      I tried to start that syslogcollector process, but it don't worked.

       

      When I enter the command:

      $ cd /var/init.d

      $ syslog collector

       

      I get this:

       

      ----- [[ (26) logging categories ]] ----------------

       

        L_ERROR  : fatal exceptions

        L_WARN   : non-fatal exceptional conditions

        L_INFO   : normal program operations

        L_SOURCE : registered datasources

        L_DTBASE : database connection attempts

        L_TCP    : tcp server thread

        L_TCPCON : tcp worker threads

        L_TLS    : tls server thread

        L_TLSCON : tls worker threads

        L_SYSHDR : syslog header parsing

        L_SYSNG  : syslog-ng demux

        L_RELAY  : relay thread

        L_RECONF : reconfiguration

        L_UDP    : udp server thread

        L_AUTDSC : syslog autodiscovery

        L_UNCONF : connections from unconfigured sources

        L_SWEEPR : msgwriter sweeper thread

        L_WRITER : msgwriter writer thread(s)

        L_MSGWRT : msgwriter operations

        L_ALERTS : alerts being sent to NitroEDB

        L_KRPREP : content string matching algorithm

        L_KREXEC : content string matching preparation

        L_EVTFLD : event field definitions

        L_VARERR : var execution failures (normal)

        L_PROTOS : protocol lookup table

        L_TMZONE : timezone translation tables

       

      ----- [[ applied output ]] ------------------------

       

        -> fd : stdout

       

      ----- [[ applied filters ]] -----------------------

       

        +(L_ERROR|L_WARN|L_INFO|L_SOURCE|L_RECONF) : +0x001000460000100f

        +[L_MSGWRT] : +0x0000000000040000

       

      Aug 08 21:18:24 L_INFO   20901|execution parameters

      Aug 08 21:18:24 L_INFO   20901|   (d) data-dir          =/db2/var/log/data/inlin                                                                                         e/thirdparty.logs

      Aug 08 21:18:24 L_INFO   20901|       writer-threads     =10

      Aug 08 21:18:24 L_INFO   20901|       ad-conf-path       =/etc/NitroGuard/autodi                                                                                         sc/syslog.conf

      Aug 08 21:18:24 L_INFO   20901|       ad-spool-dir       =/var/log/data/autodisc                                                                                         /syslog-syslog/spool

      Aug 08 21:18:24 L_INFO   20901|       ad-input-dir       =/var/log/data/autodisc                                                                                         /syslog-syslog/input

      Aug 08 21:18:24 L_INFO   20901|       ad-host-max        =100

      Aug 08 21:18:24 L_INFO   20901|       ad-flush-interval  =30

      Aug 08 21:18:24 L_RECONF 20901|     RECONFIGURING

      Aug 08 21:18:24 L_RECONF 20901|tcp lock . . . acquired

      Aug 08 21:18:24 L_RECONF 20901|udp lock . . . acquired

      Aug 08 21:18:24 L_RECONF 20901|tls lock . . . acquired

      Aug 08 21:18:24 L_SOURCE 20901|query: /usr/local/bin/tpcquery -z -n 'select  ips                                                                                         id, nolmr, ip_address, mask, hostname, syslog_port, syslog_tls_port, id, aggrega                                                                                         te where collector == "syslog" group by ip_address, mask, hostname'

      Aug 08 21:18:24 L_RECONF 20901|[ ]        autodiscovery : disabled -> disabled

      Aug 08 21:18:24 L_RECONF 20901|[ ]     repeater_enabled : 0 -> 0

      Aug 08 21:18:24 L_RECONF 20901|[ ]  repeater_ip_address : 0.0.0.0 -> 0.0.0.0

      Aug 08 21:18:24 L_RECONF 20901|[ ]        repeater_port : 0 -> 0

      Aug 08 21:18:24 L_RECONF 20901|[ ] repeater_ip_address6 : :: -> ::

      Aug 08 21:18:24 L_RECONF 20901|[ ]       repeater_port6 : 0 -> 0

      Aug 08 21:18:24 L_RECONF 20901|[ ]            tcp_ports : [  ] -> [  ]

      Aug 08 21:18:24 L_RECONF 20901|[ ]            udp_ports : [  ] -> [  ]

      Aug 08 21:18:24 L_RECONF 20901|[ ]            tls_ports : [  ] -> [  ]

      Aug 08 21:18:24 L_RECONF 20901|datasources     :     0

      Aug 08 21:18:24 L_RECONF 20901| -> by_vipsid       :     0

      Aug 08 21:18:24 L_RECONF 20901|hosts           :     0

      Aug 08 21:18:24 L_RECONF 20901| -> by_ipsid        :     0

      Aug 08 21:18:24 L_RECONF 20901|endpoints       :     0

      Aug 08 21:18:24 L_RECONF 20901| -> by_subnet       :     0

      Aug 08 21:18:24 L_RECONF 20901| -> by_hostname     :     0

      Aug 08 21:18:24 L_RECONF 20901| -> by_address_tcp_encrypted :     0

      Aug 08 21:18:24 L_RECONF 20901| -> by_address_tcp_uncrypted :     0

      Aug 08 21:18:24 L_RECONF 20901| -> by_address_udp_encrypted :     0

      Aug 08 21:18:24 L_RECONF 20901| -> by_address_udp_uncrypted :     0

      Aug 08 21:18:24 L_RECONF 20901|     RECONFIGURED : SUCCESS

      Aug 08 21:18:24 L_INFO   20901|exiting with status: 42

       

      I add some images that can help.

       

      Thanks.

       

      Untitled3.jpg

        • 1. Re: Process syslogcollector is not running.
          alexander_h

          Hi you should try to run "tail -f /var/log/messages and inspect it for more specific error. Also /var/log/data/inline/thirdparty.logs/  should contain multiple folder that correspond to your sources. for example /var/log/data/inline/thirdparty.logs/42/in

          check whether you see multiple files under the "in" folder. as it might be spooling them. And still the best is just to restart the problematic receiver first

          • 2. Re: Process syslogcollector is not running.
            alexander_h

            Also if i'm not wrong you are experiencing known issue resolved in the next patch:

             

            9.3.2 20140108 (Hotfix 1)
            Reference NumberDeviceAreaIssue Description
            34312ESMDatabaseBloom Filters cause a memory leak that could stop the ESM.
            32098ESMOtherKernel Panic on devices.
            34352ReceiverCollectorsSyslogcollector might become unresponsive (crash) when using relay.
            34278ReceiverParsersASP will become unresponsive (crash) if any syslog source is idle for 15 minutes.