Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Shripaty Absent Member.
Absent Member.
2089 views

Issue with sylog connectors

Jump to solution

Hi Everyone ,

I am having an issye with the syslog connector , it is dropping the events due to file queue becoming full :

I have fwsm and asa forwarding logs to the followng connector , i tried increasing the filequeue size and the number of file queue but no luck .

Also i have tried enabling multithreading in syslog default properties but it is not fowarding the logs to the manager . Also it is running on a older version of Arcsight Connector 4

[2015-09-09 10:52:28,095][WARN ][default.com.arcsight.agent.fq.a.e][enableDropMode] File queue now dropping files (464 files)

[2015-09-09 10:52:55,580][INFO ][default.com.arcsight.util.AgentUtil][logfuLog] WatchDog[WatchDog[HTTPTransport:https://sim-.net:8443]]: {IT_ProcessResponse1.lastCheckpointTime=1441792255553}

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Shripaty Absent Member.
Absent Member.

Re: Issue with sylog connectors

Jump to solution

Restarted and registered teh connector again to take place the changes in filemaxqueue count . It started working fine .

0 Likes
6 Replies
Shripaty Absent Member.
Absent Member.

Re: Issue with sylog connectors

Jump to solution

[2015-09-08 18:09:18,192][WARN ][default.com.arcsight.agent.fq.a.e][enableDropMode] File queue now dropping events (211 files)

[2015-09-08 18:09:19,744][INFO ][default.com.arcsight.util.AgentUtil][logfuLog] WatchDog[WatchDog[HTTPTransport:https://sim-.net:8443]]: {IT_ProcessResponse1.lastCheckpointTime=1441732104197}

[2015-09-08 18:09:54,383][INFO ][default.com.arcsight.agent.cl.be][resendAlerts] Queue too busy. Unable to resend cached alerts (retries limit reached).

Got the following warning :

[2015-09-08 18:13:29,328][INFO ][default.com.arcsight.agent.cl.bn][terminate] Terminating Event thread [0] id [W2LQrU8BABCAAUcoYQi0OA==].

[2015-09-08 18:13:29,328][INFO ][default.com.arcsight.agent.fq.y][checkStatusLine] E0:W2LQrU8BABCAAUcoYQi0OA==->|11|100:11|31|100:31|12|100:12|184|100:184|82|100:82|11|100:11|16|100:15|11|100:11|36|100:36|205|100:175|21|100:11|10|100:10|24171|100:24171|T|

[2015-09-08 18:13:29,334][WARN ][default.com.arcsight.util.j][kill] Forcing disconnection.

[2015-09-08 18:13:59,337][INFO ][default.com.arcsight.agent.cl.bn][terminate] Event thread [0] id [W2LQrU8BABCAAUcoYQi0OA==] did not terminate.

[2015-09-08 18:13:59,338][INFO ][default.com.arcsight.agent.cl.br][run] Requeueing [17] event lists from thread [W2LQrU8BABCAAUcoYQi0OA==]

[2015-09-08 18:13:59,338][ERROR][default.com.arcsight.agent.cl.be][sendAlerts] alerts are null

[2015-09-08 18:13:59,338][ERROR][default.com.arcsight.agent.cl.be][sendAlerts] alerts are null

[2015-09-08 18:13:59,338][ERROR][default.com.arcsight.agent.cl.be][sendAlerts] alerts are null

[2015-09-08 18:13:59,338][ERROR][default.com.arcsight.agent.cl.be][sendAlerts] alerts are null

[2015-09-08 18:13:59,338][ERROR][default.com.arcsight.agent.cl.be][sendAlerts] alerts are null

[2015-09-08 18:13:59,338][ERROR][default.com.arcsight.agent.cl.be][sendAlerts] alerts are null

[2015-09-08 18:13:59,338][ERROR][default.com.arcsight.agent.cl.be][sendAlerts] alerts are null

[2015-09-08 18:13:59,338][ERROR][default.com.arcsight.agent.cl.be][sendAlerts] alerts are null

[2015-09-08 18:13:59,338][ERROR][default.com.arcsight.agent.cl.be][sendAlerts] alerts are null

[2015-09-08 18:13:59,338][ERROR][default.com.arcsight.agent.cl.be][sendAlerts] alerts are null

[2015-09-08 18:13:59,338][ERROR][default.com.arcsight.agent.cl.be][sendAlerts] alerts are null

0 Likes
AS_User Honored Contributor.
Honored Contributor.

Re: Issue with sylog connectors

Jump to solution

What is your connector dropmode set to?

Also, what speed is your ESM persisting events at?

0 Likes
Shripaty Absent Member.
Absent Member.

Re: Issue with sylog connectors

Jump to solution

at com.arcsight.agent.bf.b.c.a632759303(c.java:257)

        at com.arcsight.agent.bf.o.h(o.java:126)

        at com.arcsight.agent.bf.o.run(o.java:101)

        at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(PooledExecutor.java:728)

        at java.lang.Thread.run(Thread.java:595)

Caused by: com.arcsight.agent.parsers.b: java.lang.NumberFormatException: For input string: "1280(LOCAL\F24451)"

        at com.arcsight.agent.parsers.k.convertToType(k.java:184)

        at com.arcsight.agent.parsers.k.d(k.java:122)

        ... 15 more

Caused by: java.lang.NumberFormatException: For input string: "1280(LOCAL\F24451)"

        at java.lang.NumberFormatException.forInputString(NumberFormatException.java:48)

        at java.lang.Integer.parseInt(Integer.java:456)

        at java.lang.Integer.<init>(Integer.java:620)

        at com.arcsight.agent.parsers.k.convertToType(k.java:182)

        ... 16 more

]

[2015-09-09 11:33:01,268][ERROR][default.com.arcsight.agent.loadable.syslog._CiscoPixSubAgent][parseWithParser] [com.arcsight.agent.parsers.b: Unable to convert [1024(LOCAL\H003)] to required type [Integer] for [$4]. Mappings :[com.arcsight.agent.parsers.e@1b595f3, com.arcsight.agent.parsers.e@87ad67, com.arcsight.agent.parsers.e@18952cc, com.arcsight.agent.parsers.e@9af0b1, com.arcsight.agent.parsers.e@300429, com.arcsight.agent.parsers.e@6147d9, com.arcsight.agent.parsers.e@b41166, com.arcsight.agent.parsers.e@1e2481b]

The ESM is revieving heavy amount of it is around 500 , i am not sure about the drop mode but ia m getting the following error also .

0 Likes
Shripaty Absent Member.
Absent Member.

Re: Issue with sylog connectors

Jump to solution

Restarted and registered teh connector again to take place the changes in filemaxqueue count . It started working fine .

0 Likes
reswob4 Honored Contributor.
Honored Contributor.

Re: Issue with sylog connectors

Jump to solution

When you say you increased the filequeue size, where did you make that change?  I didn't see that in agent.properties, so I'm looking in other files, but not yet finding....

Highlighted
reswob4 Honored Contributor.
Honored Contributor.

Re: Issue with sylog connectors

Jump to solution

Nevermind.  Found relevant KB articles:

KM1365984

KM1271053

KM1271778



The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.