4 Replies Latest reply on Jul 10, 2015 8:01 PM by pepelepuu

    SIEM:-ELM synchronizing Error with ESM

    soji

      Hi,

       

      Faced an issue with ELM its not synchronizing with ESM and Can't take the access to ELM through SSH and can't ping, seems to be get hanged, So just restart the ESM and its seems to be working fine.The below is the log  form the ESM regarding the Issue, help me to figure out the cause for the issue.

       

      Local ESM (144115188075855872),Critical,Blacklist,Error in SSH communication. 0Loss of communication to the Device (10.120.2.127:22). mux_client_request_session: read from master failed: Broken pipe -- ssh: connect to host 10.120.2.127 port 22: No route to host. 

       

      After Restarting ELM the log

      Local ESM (144115188075855872) Informational,Authentication,Error in SSH communication. The subsystem has recovered.

       

      Thank you

      Soji

        • 1. Re: SIEM:-ELM synchronizing Error with ESM
          boneyard

          did you restart the ELM or ESM? i think you will need to look at the logs of the device you restarted to see if there was anything pointing to an issue.

          • 2. Re: SIEM:-ELM synchronizing Error with ESM
            soji

            I restarted the ELM sorry typo err.

            And the log which i shown above is from the ESM device regarding ELM as its lost synchronizing with ELM.

             

            And the ELM having this error logs mostly this:-

            06/28/2015 10:15:09,,ELM01 (144117387099111424),,,Log retrieval failed from device (SSH connection failed)

            06/28/2015 10:20:08,,ELM01 (144117387099111424),,,Log retrieval failed from device (SSH connection failed)

            06/28/2015 10:25:10,,ELM01 (144117387099111424),,,Log retrieval failed from device (SSH connection failed)

            06/28/2015 10:30:10,,ELM01 (144117387099111424),,,Log retrieval failed from device (SSH connection failed)

            06/28/2015 10:35:10,,ELM01 (144117387099111424),,,Log retrieval failed from device (SSH connection failed)

            06/28/2015 10:40:11,,ELM01 (144117387099111424),,,Log retrieval failed from device (SSH connection failed)

            • 3. Re: SIEM:-ELM synchronizing Error with ESM
              boneyard

              that tells you nothing, as you mentioned yourself the ELM was unreachable until a restart, so the ESM could probably also not reach it.

               

              you might be able to find something in the logging of the actual ELM, but i can't tell you exactly where and what? personally i would say if it doesn't happen again ignore it. if it does happen again contact support, they know where to look.

              • 4. Re: SIEM:-ELM synchronizing Error with ESM
                pepelepuu

                Soji,

                For future reference, first thing you do when encountering this is to:

                1. Review the status of the device via the ESMGUI.

                2. Attempt to open a seperate SSH session, via putty or something similar to each device in question.

                3. For each successful login, immediately open you live logs

                - tailf /var/log/messages

                4. Look at the message as you are attempting an ssh session from the other device

                 

                Your messages above point to a number of possibilities. So, I recommend applying the OSI model and work your way up. Do this by asking yourself questions,

                example, can an SSH session be established to the device from a deffrent host?

                Can I see the device(ping it)?

                Is is in the ESMGUI?

                can the device make an ssh connect somewhere else?

                Because folks make changes on firewalls or switches without communicating it, check to make sure that port 22 is actually opened, accessible etc...

                Most times I've run into this, I simply had to re-key the device.

                Hope this helps... Godd Luck

                Joe P.