Highlighted
madhyasta Absent Member.
Absent Member.
1642 views

syslog daemon SmartConnector not recognizing events

Jump to solution

I have installed syslog daemon smartconnector version: 6.0.7.6901.0 on rhel 6.1 which listens at UDP 514 for all IP and forwards the parsed events to UDP 514 CEFEncripted smartconnector from there to ESM 6.

From the time I have installed I am only getting syslogsmartcon health events in ESM(total event count is that of health and up/down),  however no events forwarded from firewalls. tcpdump proves that events from firewall are reaching syslogsmartcon without any issue, no firewall setting at the host level either.

What could be the issue? one strange "error" entry in agent.out.wrapper is the below one, could that be a problem? how to resolve this?

[Fri Jan 10 07:42:57 CST 2014] [INFO ] version: 6.0.7.6901.0

com.arcsight.agent.Agent.baseInit: [ERROR] Unable to get local address, setting to unknown (for now)

[Fri Jan 10 07:42:57 CST 2014] [ERROR] Unable to get local address, setting to unknown (for now)

FATAL EXCEPTION:

Server Certificate export command did not return expected result. Expected [0], returned [1]

Thanks in advance.

Labels (2)
0 Likes
1 Solution

Accepted Solutions
jring1 Frequent Contributor.
Frequent Contributor.

Re: syslog daemon SmartConnector not recognizing events

Jump to solution

Hi,

erm, are you in an IPv6 only environment? The netstat output certainly looks like it... :::514 is the same as 0.0.0.0:514 only in IPv6.

If you're running IPv4 only, the connector probably has seen the IPv6 link-local address which a dual-stack OS will assign automagically and incorrectly assumed that it was running in an IPv6 environment. You can see that in the ifconfig -a output and recognize it by looking for some ipv6 address starting with fe80 like the one below and no other inet6 address:

inet6 addr: fe80::21f:29ff:fe02:1855/64 Scope:Link

If that's is the case please file a bug against the connector since a link-local ipv6 address DOES NOT mean that the box is using ipv6, only that it could if it was being used in an ipv6 environment.

As a quick fix until support coughs up a solution you could try to disable ipv6 on the Dead Rat Box if you're not using it... see Red Hat Forum - How to disable ipv6 on Red Hat Linux 6 - Proxar Ltd

Regards,

Joachim

0 Likes
15 Replies
TriumphArc Absent Member.
Absent Member.

Re: syslog daemon SmartConnector not recognizing events

Jump to solution

Hi madhyasta,

Smartconnectors should be a very straight forward installation.  Can you provide more information.  From your statements, i gathered that you installed a smartconnector syslog daemon on rhel 6.1.  Where is the connector forwarding the data?  To an ESM or Logger?  When you install the connector, did it successfully imported the cert (cacert)?  If you are trying to forward to Logger, double check the the receiver is enabled.  You might also want to try and send events to ESM directly and see if that works.

0 Likes
Established Member.. Ahedge
Established Member..

Re: syslog daemon SmartConnector not recognizing events

Jump to solution

Looking at your log file and based on your comments that you are seeing ArcEvents at the ESM, it appears that the connector is sending events out to 10.131.132.88 successfully.

You have the connector set up as a "Syslog Daemon will use a File Queue."  Are you sure that you have configured the Syslog connector properly?

0 Likes
madhyasta Absent Member.
Absent Member.

Re: syslog daemon SmartConnector not recognizing events

Jump to solution

Thanks PT and Arthur for the suggestion. Earlier uploaded log is of different instance, sorry my bad. I have attached the right log now. The syslog daemon smartcon is registered with intermediate CEF encripted UDP smartconnector listening on 514 UDP from here the events are forwarded to ESM. I am able to see the health events of both intermediate and syslog smartconnector at ESM so there isn't any problem with the flow. I have also run TCP dump on syslog smartcon and confirm that it is receiving packets from firewalls on port514. Its just the connector which is failing to capture it is what I am narrowing on and is it  the error in agent wrapper out causing issue?

0 Likes
madhyasta Absent Member.
Absent Member.

Re: syslog daemon SmartConnector not recognizing events

Jump to solution

I was able to solve the problem with certificates with the help of this thread https://protect724.arcsight.com/message/36231#36231

Now I am able to get the local OS events sent via rsyslog daemon sent to its own IP. However the remote events sent from firewalls are not. I can still see the error "[ERROR] Unable to get local address, setting to unknown (for now)" and suspect some problem here, but cant figure out the reason..

Any help here is appreciated, thanks.

Prashant

0 Likes
jring1 Frequent Contributor.
Frequent Contributor.

Re: syslog daemon SmartConnector not recognizing events

Jump to solution

Regarding the parsing problem - have you tried setting the "preserve raw event" option to yes in order to have a look at what rsyslog actually throws at your connector? You might also post some cleaned lines -maybe sb here has an idea...

I have had funny results with syslog forwarding and rsyslog too -  we never found a solution in our case and used the "swiss pocket chainsaw" approach - that is some rewrite rules in syslog-ng (which we always use together with a syslog-file connector instead of syslog-daemon connector) to fix the broken lines...

But in your case with a syslog daemon connector this is not an option.

Joachim

0 Likes
madhyasta Absent Member.
Absent Member.

Re: syslog daemon SmartConnector not recognizing events

Jump to solution

The error Unable to get local address was related to some dns issue, I fixed it, however the problem still persists. I am not getting any remote logs sent to this syslog daemon. I have enabled preserve raw event but where to check that? not able to see any event in ESM though?

0 Likes
jring1 Frequent Contributor.
Frequent Contributor.

Re: syslog daemon SmartConnector not recognizing events

Jump to solution

Hi,

can you do a "tcpdump port 514" as root on the RHEL box to make very sure that it's not a syslog forwarding problem?

Joachim

0 Likes
madhyasta Absent Member.
Absent Member.

Re: syslog daemon SmartConnector not recognizing events

Jump to solution

No I have verified this I can see all the events hitting smartcon host. How can I look at the RAW event after enabling preserve raw event? can there be any issue with event headers?

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: syslog daemon SmartConnector not recognizing events

Jump to solution

Hi! You should add a second destination to your syslog deamon connector, which sends all parsed events to a destination where you can troubleshoot. For example, create a CEF UDP Syslog destination (unencrypted) to localhost with an unused port. Then you can get all the output with netcat'ing this port and verify there is no issue with your second forwarding connector in the event flow.

If you enable raw event preserving for this output you may see the CEF events with the raw event data in it (as a key-value-pair)

Also let us know the informative log snippet from agent.out.wrapper.log and agent.log, so we don't scruff our crystal ball.

br Tobias

0 Likes
jring1 Frequent Contributor.
Frequent Contributor.

Re: syslog daemon SmartConnector not recognizing events

Jump to solution

Hi,

the 127.0.0.1:10001 messages refer to the Apache Coyote HTTP Component... I am quite sure that this is not the syslog listener...

But to be sure, please do a (change 514 to the syslog port configured in agent.properties)

netstat -nap | grep 514.*LISTEN

and post the output. This should a line for udp or tcp (depending on connector config) with Local Address 0.0.0.0:514 for listening to any interface or a specific ip address if you bound it to only one interface.

The program name in the last column should be java and not rsyslog...

Joachim



0 Likes
madhyasta Absent Member.
Absent Member.

Re: syslog daemon SmartConnector not recognizing events

Jump to solution

Thanks, will try the second destination option. Below are the log snippet

agent.out.wrapper:

INFO   | jvm 1    | 2014/01/22 03:19:11 | Copyright � 2001-2013 Hewlett-Packard Development Company, L.P.

INFO   | jvm 1    | 2014/01/22 03:19:11 | Confidential commercial computer software. Valid license required.

INFO   | jvm 1    | 2014/01/22 03:19:11 |

INFO   | jvm 1    | 2014/01/22 03:19:11 | [Wed Jan 22 03:19:11 CST 2014] [INFO ] ArcSight Home: /opt/arcsight/syslog_fwcon/current

INFO   | jvm 1    | 2014/01/22 03:19:11 | [Wed Jan 22 03:19:11 CST 2014] [INFO ] JVM name: Java HotSpot(TM) Server VM

INFO   | jvm 1    | 2014/01/22 03:19:11 | [Wed Jan 22 03:19:11 CST 2014] [INFO ] JVM path: /opt/arcsight/syslog_fwcon/current/jre

INFO   | jvm 1    | 2014/01/22 03:19:11 | [Wed Jan 22 03:19:11 CST 2014] [INFO ] JVM vendor: Sun Microsystems Inc.

INFO   | jvm 1    | 2014/01/22 03:19:11 | [Wed Jan 22 03:19:11 CST 2014] [INFO ] JVM version: 20.45-b01

INFO   | jvm 1    | 2014/01/22 03:19:11 | [Wed Jan 22 03:19:11 CST 2014] [INFO ] Memory: 240 Megabytes (237564672/251658240)

INFO   | jvm 1    | 2014/01/22 03:19:11 | [Wed Jan 22 03:19:11 CST 2014] [INFO ] OS: Linux Version: 2.6.32-220.el6.x86_64 i386

INFO   | jvm 1    | 2014/01/22 03:19:11 | [Wed Jan 22 03:19:11 CST 2014] [INFO ] User: root

INFO   | jvm 1    | 2014/01/22 03:19:11 | [Wed Jan 22 03:19:11 CST 2014] [INFO ] Working Directory: /opt/arcsight/syslog_fwcon/current/bin/wrapper/linux

INFO   | jvm 1    | 2014/01/22 03:19:11 | [Wed Jan 22 03:19:11 CST 2014] [INFO ] version: 6.0.7.6901.0

INFO   | jvm 1    | 2014/01/22 03:19:13 | [Wed Jan 22 03:19:13 CST 2014] [WARN ] Starting remote management web services...

INFO   | jvm 1    | 2014/01/22 03:19:13 | [Wed Jan 22 03:19:13 CST 2014] [INFO ] Attempting to start tomcat ...

INFO   | jvm 1    | 2014/01/22 03:19:13 | [Wed Jan 22 03:19:13 CST 2014] [INFO ] Starting remote management server [org.apache.catalina.startup.Embedded/1.0] with default context root [jsp Second Listener port [10001] host [localhost]

INFO   | jvm 1    | 2014/01/22 03:19:13 | [INFO] Embedded - Starting tomcat server

INFO   | jvm 1    | 2014/01/22 03:19:14 | [INFO] StandardEngine - Starting Servlet Engine: Apache Tomcat/5.5.33

INFO   | jvm 1    | 2014/01/22 03:19:14 | [INFO] StandardHost - XML validation disabled

INFO   | jvm 1    | 2014/01/22 03:19:14 | [INFO] ContextConfig - No default web.xml

INFO   | jvm 1    | 2014/01/22 03:19:14 | [INFO] Http11BaseProtocol - Initializing Coyote HTTP/1.1 on http-localhost%2F127.0.0.1-10001

INFO   | jvm 1    | 2014/01/22 03:19:14 | [INFO] Http11BaseProtocol - Starting Coyote HTTP/1.1 on http-localhost%2F127.0.0.1-10001

INFO   | jvm 1    | 2014/01/22 03:19:14 | [Wed Jan 22 03:19:14 CST 2014] [INFO ] Initializing Agent Framework Version [6.0.7.6901.0]

INFO   | jvm 1    | 2014/01/22 03:19:15 | [Wed Jan 22 03:19:15 CST 2014] [INFO ] Memory monitor started, heap limit: 240.0 MB

INFO   | jvm 1    | 2014/01/22 03:19:15 | [Wed Jan 22 03:19:15 CST 2014] [INFO ] Initializing agent flow for destination [<?xml version="1.0" encoding="UTF-8"?>

INFO   | jvm 1    | 2014/01/22 03:19:15 | <ParameterValues>

INFO   | jvm 1    | 2014/01/22 03:19:15 |     <Parameter Name="port" Value="514"/>

INFO   | jvm 1    | 2014/01/22 03:19:15 |     <Parameter Name="protocol" Value="Encrypted UDP"/>

INFO   | jvm 1    | 2014/01/22 03:19:15 |     <Parameter Name="host" Value="192.85.48.224"/>

INFO   | jvm 1    | 2014/01/22 03:19:15 |     <Parameter Name="sharedKey" Value="OBFUSCATE.4.8.1:Rt5Q1Rt5sqiMVF8N1RkJ+vmgzRQCg3ox"/>

INFO   | jvm 1    | 2014/01/22 03:19:15 | </ParameterValues>

INFO   | jvm 1    | 2014/01/22 03:19:15 | ]

INFO   | jvm 1    | 2014/01/22 03:19:15 | [GC 98304K->6631K(245760K), 0.0331500 secs]

INFO   | jvm 1    | 2014/01/22 03:19:15 | [Wed Jan 22 03:19:15 CST 2014] [INFO ] Zone based filtering disabled.

INFO   | jvm 1    | 2014/01/22 03:19:15 | [Wed Jan 22 03:19:15 CST 2014] [INFO ] HTTP Compression enabled.

INFO   | jvm 1    | 2014/01/22 03:19:15 | [Wed Jan 22 03:19:15 CST 2014] [INFO ] Syslog Daemon will use a File Queue.

INFO   | jvm 1    | 2014/01/22 03:19:16 | [GC 104935K->9825K(245760K), 0.0233650 secs]

INFO   | jvm 1    | 2014/01/22 03:19:17 | [GC 108129K->10089K(245760K), 0.0143170 secs]

INFO   | jvm 1    | 2014/01/22 03:19:17 | [Wed Jan 22 03:19:17 CST 2014] [INFO ] Forwarding messages to [192.85.48.224] port [514] protocol [UDP]

INFO   | jvm 1    | 2014/01/22 03:19:17 | [Wed Jan 22 03:19:17 CST 2014] [INFO ] ET[CEF Encrypted Syslog (UDP)[{port=514, protocol=Encrypted UDP, host=192.85.48.224, sharedKey=*****}]] up.

INFO   | jvm 1    | 2014/01/22 03:19:17 | [Wed Jan 22 03:19:17 CST 2014] [INFO ] Name resolution will set host name only for Connector [pcc_syslog_fwcon]

INFO   | jvm 1    | 2014/01/22 03:19:17 | [Wed Jan 22 03:19:17 CST 2014] [INFO ] Created all streams/readers for the file[/opt/arcsight/syslog_fwcon/current/user/agent/agentdata/3c5sptUMBABCAA3yycA3TIw==_queue.syslogd.0] successfully.

INFO   | jvm 1    | 2014/01/22 03:19:17 | [Wed Jan 22 03:19:17 CST 2014] [INFO ] Agent [pcc_syslog_fwcon] started.

INFO   | jvm 1    | 2014/01/22 03:19:17 | [Wed Jan 22 03:19:17 CST 2014] [INFO ] {C=0, ET=Up, HT=Down, N=pcc_syslog_fwcon}

INFO   | jvm 1    | 2014/01/22 03:19:17 | [Wed Jan 22 03:19:17 CST 2014] [INFO ] Agent upgrade status check thread started

INFO   | jvm 1    | 2014/01/22 03:19:19 | [Wed Jan 22 03:19:19 CST 2014] [INFO ] First event from [ArcSight|ArcSight|10.131.132.88|uspldfarc01] received.

INFO   | jvm 1    | 2014/01/22 03:19:27 | [GC 108393K->10914K(245760K), 0.0353670 secs]

INFO   | jvm 1    | 2014/01/22 03:20:09 | [Wed Jan 22 03:20:09 CST 2014] [INFO ] First event from [Unix|Unix||uspldfarc01] received.

INFO   | jvm 1    | 2014/01/22 03:20:17 | [Wed Jan 22 03:20:17 CST 2014] [INFO ] {Eps=0.03333333333333333, Evts=2}

INFO   | jvm 1    | 2014/01/22 03:20:17 | [Wed Jan 22 03:20:17 CST 2014] [INFO ] {C=0, ET=Up, HT=Down, N=pcc_syslog_fwcon, S=2, T=0.03319612269286947}

INFO   | jvm 1    | 2014/01/22 03:21:17 | [Wed Jan 22 03:21:17 CST 2014] [INFO ] {Eps=0.43333333333333335, Evts=28}

INFO   | jvm 1    | 2014/01/22 03:21:17 | [Wed Jan 22 03:21:17 CST 2014] [INFO ] {C=0, ET=Up, HT=Down, N=pcc_syslog_fwcon, S=2, T=0

Also the threadDump below, Is it telling that its monitoring only 127.0.0.1 / localhost? could this be a problem?

INFO   | jvm 2    | 2014/01/21 13:05:01 | "Thread-1" prio=10 tid=0xdf510000 nid=0x2497 waiting on condition [0xdbc5c000]

INFO   | jvm 2    | 2014/01/21 13:05:01 |    java.lang.Thread.State: TIMED_WAITING (sleeping)

INFO   | jvm 2    | 2014/01/21 13:05:01 | at java.lang.Thread.sleep(Native Method)

INFO   | jvm 2    | 2014/01/21 13:05:01 | at com.arcsight.agent.sd.a.readLogFile(a.java:1733)

INFO   | jvm 2    | 2014/01/21 13:05:01 | at com.arcsight.agent.sd.a.getThreadDumpWrapper(a.java:2019)

INFO   | jvm 2    | 2014/01/21 13:05:01 | at com.arcsight.agent.sd.a.getThreadDump(a.java:1856)

INFO   | jvm 2    | 2014/01/21 13:05:01 | at com.arcsight.agent.sd.a.doThreadDump(a.java:1828)

INFO   | jvm 2    | 2014/01/21 13:05:01 | at com.arcsight.agent.util.a.d.a(d.java:225)

INFO   | jvm 2    | 2014/01/21 13:05:01 | at com.arcsight.agent.transport.b.a.dispose(a.java:633)

INFO   | jvm 2    | 2014/01/21 13:05:01 | at com.arcsight.agent.Agent.i(Agent.java:1833)

INFO   | jvm 2    | 2014/01/21 13:05:01 | - locked <0xf2770720> (a com.arcsight.agent.Agent)

INFO   | jvm 2    | 2014/01/21 13:05:01 | at com.arcsight.agent.Agent$1.run(Agent.java:276)

INFO   | jvm 2    | 2014/01/21 13:05:01 |

INFO   | jvm 2    | 2014/01/21 13:05:01 | "http-localhost%2F127.0.0.1-10001-Processor8" daemon prio=10 tid=0x0a706000 nid=0x23c3 in Object.wait() [0xdbcad000]

INFO   | jvm 2    | 2014/01/21 13:05:01 |    java.lang.Thread.State: WAITING (on object monitor)

INFO   | jvm 2    | 2014/01/21 13:05:01 | at java.lang.Object.wait(Native Method)

INFO   | jvm 2    | 2014/01/21 13:05:01 | - waiting on <0xf2770130> (a org.apache.tomcat.util.threads.ThreadPool$ControlRunnable)

INFO   | jvm 2    | 2014/01/21 13:05:01 | at java.lang.Object.wait(Object.java:485)

INFO   | jvm 2    | 2014/01/21 13:05:01 | at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:661)

INFO   | jvm 2    | 2014/01/21 13:05:01 | - locked <0xf2770130> (a org.apache.tomcat.util.threads.ThreadPool$ControlRunnable)

INFO   | jvm 2    | 2014/01/21 13:05:01 | at java.lang.Thread.run(Thread.java:662)

INFO   | jvm 2    | 2014/01/21 13:05:01 |

INFO   | jvm 2    | 2014/01/21 13:05:01 | "http-localhost%2F127.0.0.1-10001-Processor7" daemon prio=10 tid=0x09f2d400 nid=0x23c2 in Object.wait() [0xdbcfe000]

INFO   | jvm 2    | 2014/01/21 13:05:01 |    java.lang.Thread.State: WAITING (on object monitor)

INFO   | jvm 2    | 2014/01/21 13:05:01 | at java.lang.Object.wait(Native Method)

INFO   | jvm 2    | 2014/01/21 13:05:01 | - waiting on <0xf27701e8> (a org.apache.tomcat.util.threads.ThreadPool$ControlRunnable)

INFO   | jvm 2    | 2014/01/21 13:05:01 | at java.lang.Object.wait(Object.java:485)

INFO   | jvm 2    | 2014/01/21 13:05:01 | at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:661)

INFO   | jvm 2    | 2014/01/21 13:05:01 | - locked <0xf27701e8> (a org.apache.tomcat.util.threads.ThreadPool$ControlRunnable)

INFO   | jvm 2    | 2014/01/21 13:05:01 | at java.lang.Thread.run(Thread.java:662)

INFO   | jvm 2    | 2014/01/21 13:05:01 |

INFO   | jvm 2    | 2014/01/21 13:05:01 | "http-localhost%2F127.0.0.1-10001-Processor6" daemon prio=10 tid=0x0a02c800 nid=0x23c1 in Object.wait() [0xddf5c000]

INFO   | jvm 2    | 2014/01/21 13:05:01 |    java.lang.Thread.State: WAITING (on object monitor)

INFO   | jvm 2    | 2014/01/21 13:05:01 | at java.lang.Object.wait(Native Method)

INFO   | jvm 2    | 2014/01/21 13:05:01 | - waiting on <0xf2770290> (a org.apache.tomcat.util.threads.ThreadPool$ControlRunnable)

INFO   | jvm 2    | 2014/01/21 13:05:01 | at java.lang.Object.wait(Object.java:485)

INFO   | jvm 2    | 2014/01/21 13:05:01 | at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:661)

INFO   | jvm 2    | 2014/01/21 13:05:01 | - locked <0xf2770290> (a org.apache.tomcat.util.threads.ThreadPool$ControlRunnable)

INFO   | jvm 2    | 2014/01/21 13:05:01 | at java.lang.Thread.run(Thread.java:662)

INFO   | jvm 2    | 2014/01/21 13:05:01 |

INFO   | jvm 2    | 2014/01/21 13:05:01 | "http-localhost%2F127.0.0.1-10001-Processor5" daemon prio=10 tid=0x0a2c3800 nid=0x23c0 in Object.wait() [0xdca80000]

INFO   | jvm 2    | 2014/01/21 13:05:01 |    java.lang.Thread.State: WAITING (on object monitor)

INFO   | jvm 2    | 2014/01/21 13:05:01 | at java.lang.Object.wait(Native Method)

INFO   | jvm 2    | 2014/01/21 13:05:01 | - waiting on <0xf2770338> (a org.apache.tomcat.util.threads.ThreadPool$ControlRunnable)

INFO   | jvm 2    | 2014/01/21 13:05:01 | at java.lang.Object.wait(Object.java:485)

INFO   | jvm 2    | 2014/01/21 13:05:01 | at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:661)

INFO   | jvm 2    | 2014/01/21 13:05:01 | - locked <0xf2770338> (a org.apache.tomcat.util.threads.ThreadPool$ControlRunnable)

INFO   | jvm 2    | 2014/01/21 13:05:01 | at java.lang.Thread.run(Thread.java:662)

INFO   | jvm 2    | 2014/01/21 13:05:01 |

INFO   | jvm 2    | 2014/01/21 13:05:01 | "BatchFlushTask" daemon prio=10 tid=0xdbafac00 nid=0x23b7 in Object.wait() [0xddffe000]

INFO   | jvm 2    | 2014/01/21 13:05:01 |    java.lang.Thread.State: WAITING (on object monitor)

INFO   | jvm 2    | 2014/01/21 13:05:01 | at java.lang.Object.wait(Native Method)

INFO   | jvm 2    | 2014/01/21 13:05:01 | - waiting on <0xf2770448> (a java.util.TaskQueue)

INFO   | jvm 2    | 2014/01/21 13:05:01 | at java.lang.Object.wait(Object.java:485)

INFO   | jvm 2    | 2014/01/21 13:05:01 | at java.util.TimerThread.mainLoop(Timer.java:483)

INFO   | jvm 2    | 2014/01/21 13:05:01 | - locked <0xf2770448> (a java.util.TaskQueue)

INFO   | jvm 2    | 2014/01/21 13:05:01 | at java.util.TimerThread.run(Timer.java:462)

INFO   | jvm 2    | 2014/01/21 13:05:01 |

INFO   | jvm 2    | 2014/01/21 13:05:01 | "Lock File Timer" prio=10 tid=0xdd4ffc00 nid=0x23b5 in Object.wait() [0xdc5ad000]

INFO   | jvm 2    | 2014/01/21 13:05:01 |    java.lang.Thread.State: TIMED_WAITING (on object monitor)

INFO   | jvm 2    | 2014/01/21 13:05:01 | at java.lang.Object.wait(Native Method)

INFO   | jvm 2    | 2014/01/21 13:05:01 | - waiting on <0xf27706e0> (a java.util.TaskQueue)

INFO   | jvm 2    | 2014/01/21 13:05:01 | at java.util.TimerThread.mainLoop(Timer.java:509)

INFO   | jvm 2    | 2014/01/21 13:05:01 | - locked <0xf27706e0> (a java.util.TaskQueue)

INFO   | jvm 2    | 2014/01/21 13:05:01 | at java.util.TimerThread.run(Timer.java:462)

0 Likes
madhyasta Absent Member.
Absent Member.

Re: syslog daemon SmartConnector not recognizing events

Jump to solution

syslog port configured in agent.properties is 514.

netstat -nap | grep 514.*LISTEN

above command doesnt return anything, however without .*LISTEN below is the return message.

# netstat -nap | grep 514

udp        0      0 :::514                      :::*                                    4158/java

0 Likes
jring1 Frequent Contributor.
Frequent Contributor.

Re: syslog daemon SmartConnector not recognizing events

Jump to solution

Hi,

erm, are you in an IPv6 only environment? The netstat output certainly looks like it... :::514 is the same as 0.0.0.0:514 only in IPv6.

If you're running IPv4 only, the connector probably has seen the IPv6 link-local address which a dual-stack OS will assign automagically and incorrectly assumed that it was running in an IPv6 environment. You can see that in the ifconfig -a output and recognize it by looking for some ipv6 address starting with fe80 like the one below and no other inet6 address:

inet6 addr: fe80::21f:29ff:fe02:1855/64 Scope:Link

If that's is the case please file a bug against the connector since a link-local ipv6 address DOES NOT mean that the box is using ipv6, only that it could if it was being used in an ipv6 environment.

As a quick fix until support coughs up a solution you could try to disable ipv6 on the Dead Rat Box if you're not using it... see Red Hat Forum - How to disable ipv6 on Red Hat Linux 6 - Proxar Ltd

Regards,

Joachim

0 Likes
madhyasta Absent Member.
Absent Member.

Re: syslog daemon SmartConnector not recognizing events

Jump to solution

Thanks a lot Joachim, that solved the problem.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.