Cached events are not getting uploaded to the Sentinel Server

Cached events are not getting uploaded to the Sentinel Server

Problem Definition

A customer has configured Novell Audit Platform Agent (PA) to Force Caching mode. And along with the Force Caching mode, the “Roll Cache” option is also configured. The PA’s configuration (/etc/logevent.conf) file looks like:

LogCacheLimitAction=roll cache
LogForceCaching=Y


With the configuration, the customer is NOT getting the cached events upload in the Sentinel Server. Platform Agent is getting the events from the logging applications, the same is being sent to local LCache process and LCache is also caching those received events in the local cache files.

Root Cause

In the customer environment, the EPS rate was very low and it was taking more time to fill 2 MB events in the local cache files. With Roll Cache option, unless the current cache file is full (2 MB by default), those events will not be uploaded to the Sentinel Server.

About configuration options

The LogCacheLimitAction option is used to specify the action that should be taken when the cache file reaches its maximum size limit. By default the cache file size is 2 GB (This is without roll cache option. In case of roll cache option this size will be defaulted to 2 MB and multiple cache files will be created).

It takes the following values:

  1. “drop cache” if you want to delete the cached events and start over with any new incoming events.

  2. “roll cache” if you want to create multiple cache files of 2 MB each (2 MB is default size. However, it can be changed using the LogMaxCacheSize option) instead of one 2 GB cache file.


The Roll Cache option is used to create multiple local cache files. By default, without Roll Cache option, the LCache process creates a single cache file that can grow maximum 2 GB. In case of huge events rate (EPS) the Roll Cache option helps to cache events more than 2 GB. The Roll Cache option by default creates multiple cache files of each 2 MB. However, the default max cache file size can be changed using the LogMaxCacheSize option. Please note that the LogMaxCacheSize configuration option takes the file size in bytes.

When the Roll Cache option is used, the cached events will be uploaded to the Sentinel server only when:

  • The cache file size reaches to the max cache file size specified with “LogMaxCacheSize” option (By default 2 MB).

  • The connection between the logging applications (eDir, IDM, NAM etc) is closed.

  • The LCache process is restarted.


When one should use “roll cache” option?

When the EPS rate is huge and the connectivity between the PA and the Sentinel server is not good. This is because in case of huge EPS rate, there is a high chance that the cache file size will reach to 2 GB soon. Once the cache file size reaches to 2 GB either you have to drop the existing 2 GB events or drop the upcoming events beyond 2 GB.

To avoid this situation, use the ‘roll cache’ option that will create multiple small (2 MB each) cache files instead of big single 2 GB cache file.

The Force Caching option is used to instruct the Platform Agent to send events always to local LCache instead of sending them directly to the Sentinel Server.

When one should NOT to use “roll cache” option?

In case of low EPS rate, it is advised NOT to use the roll cache option. If user wants to be safe and use “roll cache” option to avoid the event loss after cache file reaching to 2 GB, they should reduce the cache file size to some smaller size using the “LogMaxCacheSize” option.

Conclusion

In case of low EPS rate (events load), it is advised NOT to use the roll cache option. Because the cached events will not be uploaded to the server till the file size reaches to 2 MB.

If user wants to be safe and use “roll cache” option to avoid the event loss after cache file reaching to 2 GB with default options, they should reduce the cache file size to some smaller size using the “LogMaxCacheSize” option.  The LogMaxCacheSize configuration option takes the file size in bytes.

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
1 of 1
Last update:
‎2015-09-01 01:19
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.