Resolved: ArcSight Logger Appliance fails to backup remotely to CIFS
I recently came across as an issue where a Logger appliance would not backup to a Windows server using CIFS, despite the "test" function working correctly on the appliance. The daily archive worked only intermittently. After examining the logs, I found:
INSERT INTO alg_jobresult VALUES (10909, 10, 'Daily Event Archiving Task', 1435546800021, 1435547059410, 'Failed', -5, 'Scheduled archive for [2015-06-27][HR Storage Group] failed: Resource temporarily unavailable');
Referencing /var/log/messages showed a few errors:
Jul 15 20:05:45 logger_appliance kernel: CIFS VFS: No response to cmd 5 mid 19
Jul 15 20:05:45 logger_appliance kernel: CIFS VFS: Send error in Flush = -11
Jul 15 20:06:06 logger_appliance kernel: CIFS VFS: No response for cmd 50 mid 23
Jul 15 20:06:27 logger_appliance kernel: CIFS VFS: server not responding
Jul 15 20:06:27 logger_appliance kernel: CIFS VFS: No response for cmd 50 mid 27
I did some more research after analyzing a packet capture during which this process failed. I found that Windows Server 2003 SP1 and 2008 R2 do not natively accept the SMB FLUSH command. Implemented the following registry change to permit this command:
Value Name: treathostasstablestorage
Registry Key: HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters
After a reboot of the destination server, the issue was resolved.
I hope this helps somebody who has the same issue.
- J.R. Murray