CEF Cache events not being sent to sentinel

Hi everybody,

I've been facing this situation regarding to IDM and Sentinel.

I have Identity Manager 4.7.4 and it is configured to send audit events to Sentinel through CEF. Thing is that i'm finding that every once in a while the events are not being sent to Sentinel(consider that Sentinel is always up) and the events are being cached into the file system. 

This cached events are not being sent back to Sentinel

Is there any way to force it to sent the events to Sentinel?

Is there any reason or any configuration i'm missing for it not to sent the events automatically?

Thank you so much in advance

  • Hi there,

    The fact that events are being cached in the file system seems to indicate that at some point the engine is losing the connection with Sentinel. You may be able to find some information at that time on the Sentinel logs. 

    What ends up in the file system? Is it the syslog cache, as per parameter:

    log4j.appender.S.CacheDir=/var/opt/novell/eDirectory

    Or is it the rolling file appender? If it's this last one, this one is not supposed to be sent to Sentinel. If not, is parameter log4j.appender.S.CacheEnabled set to yes?

    If the problem persists, I'd suggest that you open a Service Request and have one of our engineers review your configuration. 

  • Hi Friend, i ened up opening an SR to MicroFocus and we ended up updating the Syslog connector to it's latest Version and the problem was solved, Thank you so much.