Meisch Super Contributor.
Super Contributor.

What does "starting event flow cache resend" in the agent log on a Bro SmartConnector

This may be a dumb question.  I apologize.  I see this message come up when tailing my agent.log.  I see it start, then start, then stop 4 times then I get this long loggersecureE0:E0:..... (looks like a resource name) with a bunch of |387|100:387, etc...

Logs, logs and more logs
Labels (2)
1 Reply
pbrettle Acclaimed Contributor.
Acclaimed Contributor.

Re: What does "starting event flow cache resend" in the agent log on a Bro SmartConnector

Firstly, its not a dumb questions - dont worry about that!

Mmm, interesting though. Firstly, 'loggersecure' indicates that you are using SmartMessage from the connector to Logger. So the destination is Logger and this seems to be an issue here. I would be looking into what is going on here. Logger uses SmartMessage which is a simple HTTPS like carrier for the session and data, so nothing sophisticated here.

But if its failing to connect or having connection issues, this is what will happen - the connector will fail to send, try to resend and if it fails, will cache the events and make sure the events get through. Simple process, but if the flow of events is failing to get through, the cache will fill. When the connection comes up, the connector will then attempt to flush the cache and send the missing events over. Priority is given to older events first (so we dont lose them), so longer the issue of the connection, more the cache.

The issue here is that the connector will attempt to use maximum bandwidth available ( assuming you haven't limited this). If so, it will flood the destination. Thats not too much of a problem, but be aware that Logger doesnt have the flow control mechanism that ESM does. So it will just receive and keep processing the data until it can't - and hence cause issues and ultimately the connector to cache again. It does work, but its somewhat less elegant than the ESM flow control mechanism.

Check in agentdata folder to see if you have any files. You should have a bunch of files (some are current working files, some are cache files). If you have a lot in here, this problem has been around for a while. if you dont have anything, then this is something else!

But I would work at the connection issue and see what is going on - ping tests, bandwidth and see if you have any missing gaps in events in Logger to see if events are coming in late.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.