Cybersecurity
DevOps Cloud (ADM)
IT Operations Cloud
Summary
The issue is caused by the wrong log file owner
Products
ArcSight Standard Connectors
Environment
RHEL 8.2
Flex Connector 8.3
Situation
Connector not reading log file continuously. Just read logs after restarting
Cause
The issue is from log file owner, it is dataloader:dataloader whereas the connector is running as root -> this make the connector can not read the log file continuously
Resolution
Configure the device to generating the events log files by root:root role.
Additional note
We might need to changes these more in agent.properties
agents[0].foldertable[0].startatend=true -> agents[0].foldertable[0].startatend=false
agents[0].foldertable[0].maxretries=-1 -> agents[0].foldertable[0].maxretries=10
agents[0].foldertable[0].usealternaterotationdetection=false -> agents[0].foldertable[0].usealternaterotationdetection=true
agents[0].foldertable[0].monitoringinterval=-1 -> agents[0].foldertable[0].monitoringinterval=10
agents[0].foldertable[0].processingthreshold=3600000 -> agents[0].foldertable[0].processingthreshold=-1
agents[0].foldertable[0].processingtimeout=120000 -> agents[0].foldertable[0].processingtimeout=-1
-------
these below might be important and need to add:
agents[0].foldertable[0].processingthreshold=-1 -> agents[0].foldertable[0].processingthreshold=1000
agents[0].foldertable[0].processingtimeout=-1 -> agents[0].foldertable[0].processingtimeout=1000
URL Name
KM000008356