Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
Brutus Absent Member.
Absent Member.
1373 views

Unexplained event caching

Jump to solution

This one has me stumped. I have a syslog connector on a connector appliance that should be sending events to a logger. The connector is receiving events but is caching them. I've confirmed port 443 connectivity from the conapp to the logger. I've completely recreated the connector as well as the receiver on the logger but no change. I also removed the connector and added it under a different container. No change. Have also confirmed the receiver on the logger is enabled. From everything I know to check it seems like the events should be flowing to the logger instead of caching on the conapp.

When I recreated the connector I got a single event on the corresponding receiver on the logger showing that syslog had started on the conapp. Again syslog events flow in and cache instead of being sent on to the logger. Any ideas what else could be causing this?

Labels (3)
0 Likes
1 Solution

Accepted Solutions
Brutus Absent Member.
Absent Member.

Re: Unexplained event caching

Jump to solution

In this particular case the problem turned out to be the default MTU was too high relative to the MTU of the VPN tunnel the traffic was being sent over. Reducing the MTU seems to have the events flowing better now.

View solution in original post

0 Likes
7 Replies
Trusted Contributor.. Baileystu Trusted Contributor..
Trusted Contributor..

Re: Unexplained event caching

Jump to solution

when you recreate a connector, an old connector's remnants may cause you grief.  on the conapp, try an emergency restore of the container.  This will delete all contents in the container and start you out with a fresh install.

0 Likes
Brutus Absent Member.
Absent Member.

Re: Unexplained event caching

Jump to solution

Thanks Stuart. I'm not familiar with that process. Where would I find documentation on how to do this?

0 Likes
Trusted Contributor.. Baileystu Trusted Contributor..
Trusted Contributor..

Re: Unexplained event caching

Jump to solution

the connector appliance admin guide.  On the setup/Repository tab, click on "Emergency Restore".  Follow the prompts.  Select the SC version.  Select the container to blow away and reinstall the SC from scratch. WARNING this will delete anything in the container, including any map files, custom parsers, etc.

but in the end you have a pristine SC on the version of your choosing.  Consult the guide for the details.  Another result of this is that any residual cache files are deleted, which could be causing the caching. If you can get the back end access to ssh into the conapp you might be able to delete the cache files directly.  Good luck.

0 Likes
Brutus Absent Member.
Absent Member.

Re: Unexplained event caching

Jump to solution

In this particular case the problem turned out to be the default MTU was too high relative to the MTU of the VPN tunnel the traffic was being sent over. Reducing the MTU seems to have the events flowing better now.

View solution in original post

0 Likes
cnunnery1 Absent Member.
Absent Member.

Re: Unexplained event caching

Jump to solution

I have a situation where Logger is caching events when sending over a VPN.  I've changed the MTU setting in Red Hat, but haven't had much improvement with event caching.  Do you know if there is an ArcSight specific MTU setting on Logger?

Thanks

0 Likes
Brutus Absent Member.
Absent Member.

Re: Unexplained event caching

Jump to solution

You can't change it from the web interface but you can do it from command line once you SSH into the logger.

In our case the packets should have been getting across by fragmentation on the router but the fragmentation wasn't working so we had to lower the MTU.

0 Likes
Member.. arcadmin1
Member..

Re: Unexplained event caching

Jump to solution

Sorry to resurrect an old post but are you please able to clarify where you changed the MTU settings, was it on the OS or in the ArcSight software? If it was in ArcSight are you able to tell me where this setting was modified? Many thanks!

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.