Blue Coat Connector Not Processing Events
I have installed the latest version of the Smart Connector 7.1.2 for Blue Coat and now I am having trouble processing the events. I checked the agent logs and I am not seeing anything significant.
I think there might be a setting (s) in the agent. properties that needs to be changed but not sure what. I'm also getting thread dumps that mention heap memory and non-heap memory but not sure what is going on.
Anybody have any ideas? Thank you
There's two methods for collecting BlueCoat Logs. Which acquisition method are you using, the MultiServerFile or Syslog?
- If syslog
- If MultiServerFile
If the connector is in fact stopping, you would see some indication of that in the logs. Share them with us if you can. Before editing agent.properties, you should be aware of what problem specifically you are trying to fix, as you could further complicate the problem by altering something else.
Lastly, the events that you momentarily see, are they fully parsed events? If you could provide any further details, it'd help with the troubleshooting a lot.
I agree with Richard,
First: How are you aquiring the logs? syslog or multiserverfile, or something else?
In the connector status, it is stopped? Or are you simply not seeing events? When you see events stop coming in, tail the connector parsing file, is the last event the same?
Don't forget that BlueCoat is a very intense data feed. Depending on the size of your organization you may need to increase the memory. Our BlueCoat connectors are configured with 1-2GB. If you do have high EPS BlueCoat connectors you can also increase the http.transport.threadcount setting. This is used for the Logger destination only. That stopped our caching issue to our Logger.
Could you post the output of the agent.out.wrapper.log? You mention that after it processes a file it would stop after a few seconds. Does is start processing again after a while? BlueCoat by default drops logs every 10 minutes so it's normal to see it process the file then just sit there for a few minutes until a new file arrives. This applies to the BlueCoat multiserverfile connector.