1 2 Previous Next 10 Replies Latest reply on Mar 8, 2016 4:37 PM by sssyyy

    Problem to receive logs in erc SIEM

    ricardoraza

      Hi I have 2 receivers in HA, 1 logger and 1 ESM all box for separete,

       

      I have these messages in the receiver

       

       

       

      But when I did a tcpdump I can see that the logs arrive to SIEM, but in the dasboard don't show anything.

      I think that is a problem for the used memory but I am not sure about it; please your help and recommendation.

        • 1. Re: Problem to receive logs in erc SIEM
          sssyyy

          On last line, it appears the ERC has ran out of disk space. Check df.

           

          You may need to purge some data file on the receiver:

          1. Stop NitroService to stop data collection

          2. Purge some data file on the receiver

          3. Restart NitroService to enable collection and parsing

          4. Monitor the collection and parsing rate to make sure receiver is working as expected

          5. Check ESM to see if events are pulled back to the ESM GUI.

           

          Hope this helps.

          • 2. Re: Problem to receive logs in erc SIEM
            rlourenco

            Hi

             

            i agree with the above users comments.  the last line shows only 44GB of space left.  usually on our smaller receivers they have over 1TB of space free all the time in standard environments.  so it looks like the disk issue is causing performance issues on the receiver.  so either its over subscribed, or as i have faced before, if you logging to an ELM it its having issues it may be queuing all the ELM logs on the receiver and running out of space.

             

            what does /var/log/messages say?

            • 3. Re: Problem to receive logs in erc SIEM
              ricardoraza

              Hi but when I use the df command I have more free space than 1 T

              df.png

               

              Can you explainme with more details how to do the steps that you mentioned?

              • 4. Re: Problem to receive logs in erc SIEM
                rlourenco

                Hi

                please can you add the last lines of /var/log/messages.  this should indicate if you have an issue like I had.

                 

                Also see this KB https://kc.mcafee.com/corporate/index?page=content&id=KB82058&actp=null&viewloca le=en_US

                and this one https://kc.mcafee.com/corporate/index?page=content&id=KB77770&pmv=print

                • 5. Re: Problem to receive logs in erc SIEM
                  ricardoraza

                  Hi friend this is the log in the esm

                   

                  .--------------------------------

                  Feb 27 04:02:01 McAfee logger: run-parts: executing /etc/cron.daily/perl-logrotate-corosync

                  Feb 27 04:02:01 McAfee logger: run-parts: executing /etc/cron.daily/perl-logrotate-auth

                  Feb 27 04:02:01 McAfee logger: run-parts: executing /etc/cron.daily/rpm

                  Feb 27 04:02:01 McAfee logger: run-parts: executing /etc/cron.daily/perl-logrotate-ice

                  Feb 27 04:02:01 McAfee logger: run-parts: executing /etc/cron.daily/ipmisel-cleanup

                  Feb 27 04:02:01 McAfee bootlog: ipmi sel ... [  OK  ]

                  Feb 27 04:03:19 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 04:05:24 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 04:07:29 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 04:09:34 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 04:11:39 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 04:13:44 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 04:13:49 McAfee cpserviced[7994]: Resources: (73s, 58e, 8855t, 406r, 103031f, 0q, 161p, [960 KB, 2.10 GB, 372 MB, 548 MB], [4.06 GB, 4.02 GB, 1380, 8546]h, [689 MB, 668 MB, 1105, 760]bt, [708 KB, 683 KB, 1, 89]bs, [2.81 MB, 526 KB, 150, 593]tr, [3.05 GB, 3.05 GB, 110, 112]sq, [154 MB, 153 MB, 9, 4680]fp, [ESSDB: 4.03 MB, 851 KB, 51.3 MB, 29, 13408/3.62 MB, 695 KB, 49.2 MB, 13337], [JobServer: 62.0 MB, 60.3 MB, 61.9 MB, 11, 869/61.9 MB, 60.3 MB, 61.9 MB, 867]), abatch=0/0, cbatch=0/0

                  Feb 27 04:15:49 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 04:16:19 McAfee libJobServer.so[7994]: Content and Version differences exist for ELM configuration file (/etc/NitroGuard/mgtdbloc.conf) in UpdateELMConfigFiles

                  Feb 27 04:16:19 McAfee RefreshThreadClass[7994]: Device Version Change Check reported failure: "Internal Error"

                  Feb 27 04:17:54 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 04:19:59 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 04:22:04 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 04:24:09 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 04:26:14 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 04:28:19 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 04:28:50 McAfee cpserviced[7994]: Resources: (73s, 58e, 8855t, 406r, 103031f, 0q, 161p, [960 KB, 2.10 GB, 372 MB, 548 MB], [4.06 GB, 4.02 GB, 1380, 8548]h, [689 MB, 668 MB, 1105, 760]bt, [708 KB, 683 KB, 1, 89]bs, [2.81 MB, 526 KB, 150, 593]tr, [3.05 GB, 3.05 GB, 110, 112]sq, [154 MB, 153 MB, 9, 4680]fp, [ESSDB: 4.03 MB, 851 KB, 51.3 MB, 29, 13408/3.62 MB, 695 KB, 49.2 MB, 13337], [JobServer: 62.0 MB, 60.3 MB, 61.9 MB, 11, 868/61.9 MB, 60.3 MB, 61.9 MB, 865]), abatch=0/0, cbatch=0/0

                  Feb 27 04:30:24 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 04:31:30 McAfee libJobServer.so[7994]: Content and Version differences exist for ELM configuration file (/etc/NitroGuard/mgtdbloc.conf) in UpdateELMConfigFiles

                  Feb 27 04:31:30 McAfee RefreshThreadClass[7994]: Device Version Change Check reported failure: "Internal Error"

                  Feb 27 04:32:29 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 04:34:34 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 04:36:39 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 04:38:44 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 04:40:49 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 04:42:54 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 04:43:50 McAfee cpserviced[7994]: Resources: (73s, 58e, 8855t, 406r, 103031f, 0q, 161p, [960 KB, 2.10 GB, 372 MB, 548 MB], [4.06 GB, 4.02 GB, 1380, 8551]h, [689 MB, 668 MB, 1105, 760]bt, [708 KB, 683 KB, 1, 89]bs, [2.81 MB, 526 KB, 150, 593]tr, [3.05 GB, 3.05 GB, 110, 112]sq, [154 MB, 153 MB, 9, 4680]fp, [ESSDB: 4.03 MB, 851 KB, 51.3 MB, 29, 13408/3.62 MB, 695 KB, 49.2 MB, 13337], [JobServer: 62.0 MB, 60.3 MB, 61.9 MB, 11, 870/61.9 MB, 60.3 MB, 61.9 MB, 867]), abatch=0/0, cbatch=0/0

                  Feb 27 04:44:59 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 04:46:40 McAfee libJobServer.so[7994]: Content and Version differences exist for ELM configuration file (/etc/NitroGuard/mgtdbloc.conf) in UpdateELMConfigFiles

                  Feb 27 04:46:40 McAfee RefreshThreadClass[7994]: Device Version Change Check reported failure: "Internal Error"

                  Feb 27 04:47:04 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 04:49:09 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 04:51:14 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 04:53:19 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 04:55:24 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 04:57:29 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 04:58:52 McAfee cpserviced[7994]: Resources: (73s, 58e, 8855t, 406r, 103031f, 0q, 161p, [960 KB, 2.10 GB, 372 MB, 548 MB], [4.06 GB, 4.02 GB, 1380, 8549]h, [689 MB, 668 MB, 1105, 760]bt, [708 KB, 683 KB, 1, 89]bs, [2.81 MB, 526 KB, 150, 593]tr, [3.05 GB, 3.05 GB, 110, 112]sq, [154 MB, 153 MB, 9, 4680]fp, [ESSDB: 4.03 MB, 851 KB, 51.3 MB, 29, 13408/3.62 MB, 695 KB, 49.2 MB, 13337], [JobServer: 62.0 MB, 60.3 MB, 61.9 MB, 11, 887/61.9 MB, 60.3 MB, 61.9 MB, 884]), abatch=0/0, cbatch=0/0

                  Feb 27 04:59:34 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:01:01 McAfee cron[10930]: (root) CMD (nice -n 19 run-parts /etc/cron.hourly)

                  Feb 27 05:01:01 McAfee logger: run-parts: executing /etc/cron.hourly/ntpsync

                  Feb 27 05:01:01 McAfee ntp.sh: 27 Feb 05:01:01 ntpdate[10938]: the NTP socket is in use, exiting

                  Feb 27 05:01:01 McAfee logger: run-parts: executing /etc/cron.hourly/trackmem

                  Feb 27 05:01:01 McAfee trackmem[10941]: trackmem called

                  Feb 27 05:01:01 McAfee logger: run-parts: executing /etc/cron.hourly/sysstat.hourly

                  Feb 27 05:01:39 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:01:51 McAfee libJobServer.so[7994]: Content and Version differences exist for ELM configuration file (/etc/NitroGuard/mgtdbloc.conf) in UpdateELMConfigFiles

                  Feb 27 05:01:51 McAfee RefreshThreadClass[7994]: Device Version Change Check reported failure: "Internal Error"

                  Feb 27 05:03:44 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:05:49 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:07:52 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:09:14 McAfee [7994]: Data Enrichment McAfee ePO_MRA failed:Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. ErrorCode=0

                  Feb 27 05:09:55 McAfee pdns_recursor[2829]: stats: 3466 questions, 46 cache entries, 0 negative entries, 0% cache hits

                  Feb 27 05:09:55 McAfee pdns_recursor[2829]: stats: throttle map: 4, ns speeds: 4

                  Feb 27 05:09:55 McAfee pdns_recursor[2829]: stats: outpacket/query ratio 199%, 0% throttled, 0 no-delegation drops

                  Feb 27 05:09:55 McAfee pdns_recursor[2829]: stats: 0 outgoing tcp connections, 2 queries running, 489208 outgoing timeouts

                  Feb 27 05:09:55 McAfee pdns_recursor[2829]: stats: 8 packet cache entries, 0% packet cache hits

                  Feb 27 05:09:55 McAfee pdns_recursor[2829]: stats: 0 qps (average over 40394 seconds)

                  Feb 27 05:09:59 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:09:59 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:12:03 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:12:03 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:13:52 McAfee cpserviced[7994]: Resources: (73s, 58e, 8855t, 406r, 103031f, 0q, 161p, [960 KB, 2.10 GB, 372 MB, 548 MB], [4.06 GB, 4.02 GB, 1380, 8546]h, [689 MB, 668 MB, 1105, 760]bt, [708 KB, 683 KB, 1, 89]bs, [2.81 MB, 526 KB, 150, 593]tr, [3.05 GB, 3.05 GB, 110, 112]sq, [154 MB, 153 MB, 9, 4680]fp, [ESSDB: 4.03 MB, 851 KB, 51.3 MB, 29, 13408/3.62 MB, 695 KB, 49.2 MB, 13337], [JobServer: 62.0 MB, 60.3 MB, 61.9 MB, 11, 874/61.9 MB, 60.3 MB, 61.9 MB, 871]), abatch=0/0, cbatch=0/0

                  Feb 27 05:14:09 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:14:09 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:16:17 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:17:00 McAfee libJobServer.so[7994]: Content and Version differences exist for ELM configuration file (/etc/NitroGuard/mgtdbloc.conf) in UpdateELMConfigFiles

                  Feb 27 05:17:00 McAfee RefreshThreadClass[7994]: Device Version Change Check reported failure: "Internal Error"

                  Feb 27 05:18:23 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:20:28 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:22:34 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:22:34 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:24:41 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:26:49 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:28:54 McAfee cpserviced[7994]: Resources: (73s, 58e, 8855t, 406r, 103031f, 0q, 161p, [960 KB, 2.10 GB, 372 MB, 548 MB], [4.06 GB, 4.02 GB, 1380, 8546]h, [689 MB, 668 MB, 1105, 760]bt, [708 KB, 683 KB, 1, 89]bs, [2.81 MB, 526 KB, 150, 593]tr, [3.05 GB, 3.05 GB, 110, 112]sq, [154 MB, 153 MB, 9, 4680]fp, [ESSDB: 4.03 MB, 851 KB, 51.3 MB, 29, 13408/3.62 MB, 695 KB, 49.2 MB, 13337], [JobServer: 62.0 MB, 60.3 MB, 61.9 MB, 11, 870/61.9 MB, 60.3 MB, 61.9 MB, 867]), abatch=0/0, cbatch=0/0

                  Feb 27 05:28:55 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:28:55 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:31:01 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:31:01 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:32:11 McAfee libJobServer.so[7994]: Content and Version differences exist for ELM configuration file (/etc/NitroGuard/mgtdbloc.conf) in UpdateELMConfigFiles

                  Feb 27 05:32:11 McAfee RefreshThreadClass[7994]: Device Version Change Check reported failure: "Internal Error"

                  Feb 27 05:33:07 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:33:07 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:35:14 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:35:14 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:37:20 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:39:25 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:41:30 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:43:35 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:43:54 McAfee cpserviced[7994]: Resources: (73s, 58e, 8855t, 406r, 103031f, 0q, 161p, [960 KB, 2.10 GB, 372 MB, 548 MB], [4.06 GB, 4.02 GB, 1380, 8546]h, [689 MB, 668 MB, 1105, 760]bt, [708 KB, 683 KB, 1, 89]bs, [2.81 MB, 526 KB, 150, 593]tr, [3.05 GB, 3.05 GB, 110, 112]sq, [154 MB, 153 MB, 9, 4680]fp, [ESSDB: 4.03 MB, 851 KB, 51.3 MB, 29, 13408/3.62 MB, 695 KB, 49.2 MB, 13337], [JobServer: 62.0 MB, 60.3 MB, 61.9 MB, 11, 891/61.9 MB, 60.3 MB, 61.9 MB, 888]), abatch=0/0, cbatch=0/0

                  Feb 27 05:45:40 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:47:21 McAfee libJobServer.so[7994]: Content and Version differences exist for ELM configuration file (/etc/NitroGuard/mgtdbloc.conf) in UpdateELMConfigFiles

                  Feb 27 05:47:21 McAfee RefreshThreadClass[7994]: Device Version Change Check reported failure: "Internal Error"

                  Feb 27 05:47:41 McAfee pdns_recursor[2829]: stats: 3466 questions, 46 cache entries, 0 negative entries, 0% cache hits

                  Feb 27 05:47:41 McAfee pdns_recursor[2829]: stats: throttle map: 4, ns speeds: 4

                  Feb 27 05:47:41 McAfee pdns_recursor[2829]: stats: outpacket/query ratio 199%, 0% throttled, 0 no-delegation drops

                  Feb 27 05:47:41 McAfee pdns_recursor[2829]: stats: 0 outgoing tcp connections, 1 queries running, 489260 outgoing timeouts

                  Feb 27 05:47:41 McAfee pdns_recursor[2829]: stats: 8 packet cache entries, 0% packet cache hits

                  Feb 27 05:47:41 McAfee pdns_recursor[2829]: stats: 0 qps (average over 2266 seconds)

                  Feb 27 05:47:45 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:49:51 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:51:57 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:51:57 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:54:03 McAfee last message repeated 2 times

                  Feb 27 05:56:08 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:56:08 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:58:15 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 05:58:55 McAfee cpserviced[7994]: Resources: (73s, 58e, 8855t, 406r, 103031f, 0q, 161p, [960 KB, 2.10 GB, 372 MB, 548 MB], [4.06 GB, 4.02 GB, 1380, 8547]h, [689 MB, 668 MB, 1105, 760]bt, [708 KB, 683 KB, 1, 89]bs, [2.81 MB, 526 KB, 150, 593]tr, [3.05 GB, 3.05 GB, 110, 112]sq, [154 MB, 153 MB, 9, 4680]fp, [ESSDB: 4.03 MB, 851 KB, 51.3 MB, 29, 13408/3.62 MB, 695 KB, 49.2 MB, 13337], [JobServer: 62.0 MB, 60.3 MB, 61.9 MB, 11, 891/61.9 MB, 60.3 MB, 61.9 MB, 888]), abatch=0/0, cbatch=0/0

                  Feb 27 06:00:22 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 06:00:22 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 06:01:01 McAfee cron[15813]: (root) CMD (nice -n 19 run-parts /etc/cron.hourly)

                  Feb 27 06:01:01 McAfee logger: run-parts: executing /etc/cron.hourly/ntpsync

                  Feb 27 06:01:01 McAfee ntp.sh: 27 Feb 06:01:01 ntpdate[15821]: the NTP socket is in use, exiting

                  Feb 27 06:01:01 McAfee logger: run-parts: executing /etc/cron.hourly/trackmem

                  Feb 27 06:01:02 McAfee trackmem[15824]: trackmem called

                  Feb 27 06:01:02 McAfee logger: run-parts: executing /etc/cron.hourly/sysstat.hourly

                  Feb 27 06:02:27 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 06:02:32 McAfee libJobServer.so[7994]: Content and Version differences exist for ELM configuration file (/etc/NitroGuard/mgtdbloc.conf) in UpdateELMConfigFiles

                  Feb 27 06:02:32 McAfee RefreshThreadClass[7994]: Device Version Change Check reported failure: "Internal Error"

                  Feb 27 06:04:35 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 06:04:35 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 06:06:42 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 06:08:47 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 06:10:52 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 06:12:57 McAfee pdns_recursor[2829]: Failed to update . records, RCODE=2

                  Feb 27 06:13:56 McAfee cpserviced[7994]: Resources: (73s, 58e, 8855t, 406r, 103031f, 0q, 161p, [960 KB, 2.10 GB, 372 MB, 548 MB], [4.06 GB, 4.02 GB, 1380, 8550]h, [689 MB, 668 MB, 1105, 760]bt, [708 KB, 683 KB, 1, 89]bs, [2.81 MB, 526 KB, 150, 593]tr, [3.05 GB, 3.05 GB, 110, 112]sq, [154 MB, 153 MB, 9, 4680]fp, [ESSDB: 4.03 MB, 851 KB, 51.3 MB, 29, 13408/3.62 MB, 695 KB, 49.2 MB, 13337], [JobServer: 62.0 MB, 60.3

                   

                  ----------------

                   

                  and in the receiver I have these logs

                   

                  Feb 28 04:02:05 McAfee1 logger: run-parts: executing /etc/cron.daily/perl-logrotate-corosync

                  Feb 28 04:02:09 McAfee1 logger: run-parts: executing /etc/cron.daily/perl-logrotate-auth

                  Feb 28 04:02:11 McAfee1 logger: run-parts: executing /etc/cron.daily/perl-logrotate-ice

                  Feb 28 04:02:12 McAfee1 logger: run-parts: executing /etc/cron.daily/rpm

                  Feb 28 04:02:13 McAfee1 logger: run-parts: executing /etc/cron.daily/ipmisel-cleanup

                  Feb 28 04:02:20 McAfee1 bootlog: ipmi sel ... [  OK  ]

                  Feb 28 04:02:24 McAfee1 pdns_recursor[2461]: Failed to update . records, RCODE=2

                  Feb 28 04:03:01 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:03:43 McAfee1 IPSDBServerctl[9952]: Info: -- Mark -- 1456632223

                  Feb 28 04:04:01 McAfee1 cron[2056]: (root) CMD (/usr/bin/find /root/.bh -type f -mtime +90 -delete)

                  Feb 28 04:04:05 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:04:29 McAfee1 pdns_recursor[2461]: Failed to update . records, RCODE=2

                  Feb 28 04:05:10 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:05:15 McAfee1 sync_bookmarks: Failed to sync all the bookmarks

                  Feb 28 04:06:15 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:06:34 McAfee1 pdns_recursor[2461]: Failed to update . records, RCODE=2

                  Feb 28 04:07:20 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:07:40 McAfee1 bootlog: Restarting firewall... [  OK  ]

                  Feb 28 04:07:51 McAfee1 bootlog: Restarting firewall... [  OK  ]

                  Feb 28 04:08:25 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:08:39 McAfee1 pdns_recursor[2461]: Failed to update . records, RCODE=2

                  Feb 28 04:09:30 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:10:00 McAfee1 Inline[9958]: Event Stats: Uncompressed=25905, Compressed=1181856 (Physical=20271) (1=1181856, 2=0, 3=0) Max=32484 secs Bad Time=25904

                  Feb 28 04:10:00 McAfee1 Inline[9958]: Flow Stats: Uncompressed=0, Compressed=0 (Physical=0) (0=0, 1=0, 2=0, 3=0) Max=0 secs Bad Time=0

                  Feb 28 04:10:16 McAfee1 sync_bookmarks: Failed to sync all the bookmarks

                  Feb 28 04:10:35 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:10:44 McAfee1 pdns_recursor[2461]: Failed to update . records, RCODE=2

                  Feb 28 04:11:40 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:12:45 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:12:49 McAfee1 pdns_recursor[2461]: Failed to update . records, RCODE=2

                  Feb 28 04:13:43 McAfee1 IPSDBServerctl[9952]: Info: -- Mark -- 1456632823

                  Feb 28 04:13:50 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:14:05 McAfee1 IPSDBServer[9958]: Resources: (31s, 30e, 601t, 652r, 10910f, 0q, 290p, [289 KB, 0 B, 83.6 MB], [718 MB, 698 MB, 4528]h, [572 MB, 568 MB, 139]bt, [108 KB, 103 KB, 29]bs, [1.08 MB, 353 KB, 324]tr, [55.3 MB, 54.6 MB, 17]sq, [10.1 MB, 9.58 MB, 2035]fp, [NitroInline: 3.57 MB, 3.27 MB, 3.32 MB, 76/872 KB, 598 KB, 636 KB, 66], [libELM: 84.9 MB, 84.6 MB, 84.6 MB, 21/84.9 MB, 84.6 MB, 84.6 MB, 21], [IPSDBServer: 712 KB, 288 KB, 557 KB, 74/584 KB, 288 KB, 470 KB, 52])

                  Feb 28 04:14:54 McAfee1 pdns_recursor[2461]: Failed to update . records, RCODE=2

                  Feb 28 04:14:55 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:15:18 McAfee1 sync_bookmarks: Failed to sync all the bookmarks

                  Feb 28 04:16:01 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:16:59 McAfee1 pdns_recursor[2461]: Failed to update . records, RCODE=2

                  Feb 28 04:17:05 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:17:39 McAfee1 bootlog: Restarting firewall... [  OK  ]

                  Feb 28 04:17:50 McAfee1 bootlog: Restarting firewall... [  OK  ]

                  Feb 28 04:18:10 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:19:04 McAfee1 pdns_recursor[2461]: Failed to update . records, RCODE=2

                  Feb 28 04:19:04 McAfee1 pdns_recursor[2461]: Failed to update . records, RCODE=2

                  Feb 28 04:19:15 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:20:00 McAfee1 Inline[9958]: Event Stats: Uncompressed=28919, Compressed=1230067 (Physical=20869) (1=1230067, 2=0, 3=0) Max=30127 secs Bad Time=28919

                  Feb 28 04:20:00 McAfee1 Inline[9958]: Flow Stats: Uncompressed=0, Compressed=0 (Physical=0) (0=0, 1=0, 2=0, 3=0) Max=0 secs Bad Time=0

                  Feb 28 04:20:19 McAfee1 sync_bookmarks: Failed to sync all the bookmarks

                  Feb 28 04:20:20 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:21:09 McAfee1 pdns_recursor[2461]: Failed to update . records, RCODE=2

                  Feb 28 04:21:25 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:22:01 McAfee1 cron[6400]: (root) CMD (nice -n 19 run-parts /etc/cron.weekly)

                  Feb 28 04:22:30 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:23:14 McAfee1 pdns_recursor[2461]: Failed to update . records, RCODE=2

                  Feb 28 04:23:35 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:23:43 McAfee1 IPSDBServerctl[9952]: Info: -- Mark -- 1456633423

                  Feb 28 04:24:40 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:25:19 McAfee1 pdns_recursor[2461]: Failed to update . records, RCODE=2

                  Feb 28 04:25:21 McAfee1 sync_bookmarks: Failed to sync all the bookmarks

                  Feb 28 04:25:45 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:26:50 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:27:24 McAfee1 pdns_recursor[2461]: Failed to update . records, RCODE=2

                  Feb 28 04:27:42 McAfee1 bootlog: Restarting firewall... [  OK  ]

                  Feb 28 04:27:54 McAfee1 bootlog: Restarting firewall... [  OK  ]

                  Feb 28 04:27:55 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:29:00 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:29:05 McAfee1 IPSDBServer[9958]: Resources: (31s, 30e, 601t, 652r, 10910f, 0q, 290p, [289 KB, 0 B, 83.6 MB], [718 MB, 698 MB, 4527]h, [572 MB, 568 MB, 139]bt, [108 KB, 103 KB, 29]bs, [1.08 MB, 353 KB, 324]tr, [55.3 MB, 54.6 MB, 17]sq, [10.1 MB, 9.58 MB, 2035]fp, [NitroInline: 3.57 MB, 3.27 MB, 3.32 MB, 76/872 KB, 598 KB, 636 KB, 66], [libELM: 84.9 MB, 84.6 MB, 84.6 MB, 21/84.9 MB, 84.6 MB, 84.6 MB, 21], [IPSDBServer: 712 KB, 288 KB, 557 KB, 74/584 KB, 288 KB, 470 KB, 52])

                  Feb 28 04:29:26 McAfee1 pdns_recursor[2461]: stats: 1996 questions, 52 cache entries, 13 negative entries, 0% cache hits

                  Feb 28 04:29:26 McAfee1 pdns_recursor[2461]: stats: throttle map: 4, ns speeds: 4

                  Feb 28 04:29:26 McAfee1 pdns_recursor[2461]: stats: outpacket/query ratio 197%, 0% throttled, 0 no-delegation drops

                  Feb 28 04:29:26 McAfee1 pdns_recursor[2461]: stats: 0 outgoing tcp connections, 1 queries running, 478667 outgoing timeouts

                  Feb 28 04:29:26 McAfee1 pdns_recursor[2461]: stats: 14 packet cache entries, 0% packet cache hits

                  Feb 28 04:29:26 McAfee1 pdns_recursor[2461]: stats: 0 qps (average over 1998 seconds)

                  Feb 28 04:29:29 McAfee1 pdns_recursor[2461]: Failed to update . records, RCODE=2

                  Feb 28 04:30:00 McAfee1 Inline[9958]: Event Stats: Uncompressed=25704, Compressed=1133877 (Physical=19705) (1=1133877, 2=0, 3=0) Max=33033 secs Bad Time=25703

                  Feb 28 04:30:00 McAfee1 Inline[9958]: Flow Stats: Uncompressed=0, Compressed=0 (Physical=0) (0=0, 1=0, 2=0, 3=0) Max=0 secs Bad Time=0

                  Feb 28 04:30:06 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:30:23 McAfee1 sync_bookmarks: Failed to sync all the bookmarks

                  Feb 28 04:31:10 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:31:32 McAfee1 pdns_recursor[2461]: Failed to update . records, RCODE=2

                  Feb 28 04:32:15 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:33:20 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:33:37 McAfee1 pdns_recursor[2461]: Failed to update . records, RCODE=2

                  Feb 28 04:33:43 McAfee1 IPSDBServerctl[9952]: Info: -- Mark -- 1456634023

                  Feb 28 04:34:25 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:35:24 McAfee1 sync_bookmarks: Failed to sync all the bookmarks

                  Feb 28 04:35:30 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:35:42 McAfee1 pdns_recursor[2461]: Failed to update . records, RCODE=2

                  Feb 28 04:36:35 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:37:40 McAfee1 bootlog: Restarting firewall... [  OK  ]

                  Feb 28 04:37:40 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:37:47 McAfee1 pdns_recursor[2461]: Failed to update . records, RCODE=2

                  Feb 28 04:37:52 McAfee1 bootlog: Restarting firewall... [  OK  ]

                  Feb 28 04:38:45 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:39:50 McAfee1 bootlog: nitrodbserver.init DB running. STARTED=1 STOPPING=0

                  Feb 28 04:39:52 McAfee1 pdns_recursor[2461]: Failed to update . records, RCODE=2

                  Feb 28 04:40:00 McAfee1

                   

                  Thanks for your help

                  • 6. Re: Problem to receive logs in erc SIEM
                    sssyyy

                    Why is the firewall kept on restarting? Anyway, check the collection and parsing stat using "dssummary".

                     

                    1. NitroStop (stop receiver service)

                    2. NitroStopped (Confirm all services are stopped)

                    3. DBCheck the alert.dfl (repair any broken tables/partitions)

                    4. Purge some data to free disk space

                    5. NitroStart (start receiver service)

                    6. run dssummary to make sure events are being collected and parsed

                     

                    Why don't you log a ticket with Support, and they can help to sort you out.

                    • 7. Re: Problem to receive logs in erc SIEM
                      ricardoraza

                      Hi thanks for your help, and I can't open a ticket because the client have a problem with their support.

                       

                      Please can you explain me a little more how can I do the process that you told me, or please can you give me a kb ?

                       

                      Thanks for your help

                      • 8. Re: Problem to receive logs in erc SIEM
                        sssyyy

                        Which part do you need more information on?

                        • 9. Re: Problem to receive logs in erc SIEM
                          ricardoraza

                          Please with the step 3, 4 and 6.

                           

                          Thanks for your help

                          1 2 Previous Next