"GZ error -3" errors in the Journal files

book

Article ID: 166566

calendar_today

Updated On:

Products

Reporter

Issue/Introduction

My Reporter server is configured to receive streaming connections from the Secure Gateway ( SG) appliances, and they are seeing this error in the journal logs. What do they mean?

BCRJ:2009-09-24 16:02:50 (4abb27aa) ALW.ERRO.LOGSO
   src/sg_logreader.cpp,2846,
      worker_thread_43c05960(1136679264),,
   Unzip log source 'BCLOG:ProxySG1' failed with GZ error -3
BCRJ:2009-09-24 16:02:50 (4abb27aa) ALW.ERRO.LOGSO
   src/sg_logreader.cpp,2846,
      worker_thread_43c05960(1136679264),,
   Unzip log source 'BCLOG:ProxySG1' failed with GZ error -3
BCRJ:2009-09-24 16:02:50 (4abb27aa) ALW.ERRO.LOGSO
   src/sg_profile.cpp,4188,
      worker_thread_43c05960(1136679264),,
   Fatal log processing error stopped log source 'BCLOG:ProxySG1'

 

Resolution

IN this configuration, the SG  is configured for a upload client type of  "Bluecoat Reporter client".  Here the SG has no access log file , either on the SG, or on the Reporters file system.  The GZ unzip error, therefore, comes from Reporter unzipping the streamed file  on the fly, and injecting the data directly into the database.  The first two messages above show an failed attempt, by Reporter, to unzip the file it received from the SG.  The last message indicates that the  log source has unloaded , as a result.

These journal entries shows that ProxySG1 is unable to unzip the data being sent by the SG. Reporter will forgive one GZ failure during the loaded lifetime of any SGP, but the second GZ failure will cause the SGP to unload to show that the data is not being handled correctly, causing Reporter to be unable to record an accurate view of the customer's data.

Customers might see more of these errors with Reporter, version 9.1.x, than they saw with Reporter, version 8,  because it is more stringent on errors now.  This is done to protect any bad data being injected into the Database.   

NOTE1: In tests we saw in our QA labs for Reporter, version 9.1.x, the only time saw these symptoms was  when there really was something wrong with the data stream, either the SG hardware, SG software, the Ethernet layer, or the SGP software.

.

Troubleshooting tips: 

  • We do not recommend switching the connection between 'text' mode and "Zipped' as a means to troubleshoot this symptom, as causes the Reporter software to get even more out-of-sync with the SG connection. The best advice we can give to troubleshoot this symptom is to take a LAN trace ( PCAP) of the interaction to see where the network errors are.
  • In some cases, where this error seems to be persist ant , turning off the bluecoat Reporter client on the SG, and then turning it back on  has alleviated this symptom.
  • You may also  want to delete any existing remnant  log from your ProxySG  so you can start fresh. 
    • Heres' how to to it if you are streaming the log called "MAIN".
      Using the terminal interface, execute these commands.
      Blue Coat SG200 Series#config t
      Blue Coat SG200 Series#(config)access-log
      Blue Coat SG200 Series#(config access-log)edit log main
      Blue Coat SG200 Series#(config log main)commands delete-logs
      Note: Just "rinse and repeat"  for all other LOG names. Don’t get confused between LOG names and Log types.

NOTE2:  For information regarding the GZ error -5, using the same streaming configuration, see 000014964