Anonymous_User Absent Member.
Absent Member.
250 views

Duplicated events collected on Sentinel server.


Dear All,

I'd like to ask you if you have notice same kind of issue on Sentinel
environment, we notice from time to time we are observed duplicated
events on Sentinel server. For example: someone login to Red Hat server,
instead of collect one event we found out 1800 of these on event console
and also in rawdata stored on Sentinel . First we think it was caused by
not simply configuration on Red Hat side but almost in the same time we
catch similar incident but this generated by Windows server. So my
question is, do you have observed same kind issue ?

Arek M.

ps. Sentinel 7.3.1


--
arekmacak
------------------------------------------------------------------------
arekmacak's Profile: https://forums.netiq.com/member.php?userid=6080
View this thread: https://forums.netiq.com/showthread.php?t=55299

0 Likes
3 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Duplicated events collected on Sentinel server.

On 02/03/2016 02:44 AM, arekmacak wrote:
>
> Dear All,
>
> I'd like to ask you if you have notice same kind of issue on Sentinel
> environment, we notice from time to time we are observed duplicated
> events on Sentinel server. For example: someone login to Red Hat server,
> instead of collect one event we found out 1800 of these on event console
> and also in rawdata stored on Sentinel . First we think it was caused by
> not simply configuration on Red Hat side but almost in the same time we
> catch similar incident but this generated by Windows server. So my
> question is, do you have observed same kind issue ?


Not unless the external systems (RHEL, etc.) sent multiple events in some
form. Seeing 1800 events instead of one seems like a pretty big problem.
If you see it in the raw data, then that would seem to be pretty
conclusive as to the source of the problem. You could use the Raw Data
Tap for quickly looking to see which event source picked up the event (did
they really all come form that one system?) or the connector dump to write
out and see the events either for analysis or later replay (testing a
collector).

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Duplicated events collected on Sentinel server.


Hi,

Thank you for answer and suggestion. It's extremely hard to catch it on
network level since it happen once per a week (more or less). Because
customer had very old Red Hat system I thought it was root cause. It
came out it isn't, Red Hat was upgraded and in the same time we notice
very similar problem on windows collector script and also on SAP
collector script. My current understanding is root cause is somewhere
between physical cable and CM engine.


--
arekmacak
------------------------------------------------------------------------
arekmacak's Profile: https://forums.netiq.com/member.php?userid=6080
View this thread: https://forums.netiq.com/showthread.php?t=55299

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Duplicated events collected on Sentinel server.


Hi,
This issue with large number of duplicate events seems quite unusual
that I haven't across. If you find the same set of duplicate events in
raw data too, then it seems the problem could be outside of the system
as well. However, you could report an SR for this so the technical
support can review this issue and do the needful.


--
vrajasekhar
------------------------------------------------------------------------
vrajasekhar's Profile: https://forums.netiq.com/member.php?userid=7871
View this thread: https://forums.netiq.com/showthread.php?t=55299

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.