I am doing a new deployment of Security Analytics which has 4 appliances, a decoder, concentrator, hybrid and SA server with broker. I upgraded the appliances from 10.5 to 10.5.1 then finally to 10.5.1.2. Collection on the decoders stops after about 5 - 10 minutes of service restart. So if I restart the service every 20 minutes I will have data every time. At times collection can start on its own hours later and stop again. I have checked everything. In case you are wondering yes, all services are set to auto start.
Thank you for responding. This was caused by parsers. After disabling all parsers and only enabling a few, the appliances have been collecting for packets for over 48 hours. Now the question is how do I find out which parsers are problematic without having to enable one by one till i find it?
Thank you for responding. This was caused by parsers. After disabling all parsers and only enabling a few, the appliances have been collecting for packets for over 48 hours. Now the question is how do I find out which parsers are problematic without having to enable one by one till i find it?
When it stops, do you see any corresponding messages in the /var/log/messages, on that packet device? We can also look at the /var/lib/netwitness/uax/logs/sa.log on the sa server to verify that we have no parser errors.
This was a totally new installation. The 1st thing I did before even colecting data was to download Lua_Parsers. So i dont know if it would have worked fine without the Lua parsers
No, its not a LUA parser. The problem is with one of the pre-installed parsers, the network parsers. Now am trying to figure out how to get it to work.
