Security Analytics Central Manager (CMC) does not display for Alerts, Summary, Total Alerts By Sensor
Article ID: 168938
Updated On:
Products
Security Analytics
Issue/Introduction
This problem happens when the time between the CMC and Sensor is not synchronized.
The following can be observed from the postgresql.log file :
The following can be observed from the postgresql.log file :
2016-01-15 15:24:15 UTC [32218]: [1-1] db=dsweb,user=dsweb,app=POST::/central_manager/import ERROR: duplicate key value violates unique constraint "notification_alerts_pkey"
2016-01-15 15:24:15 UTC [32218]: [2-1] db=dsweb,user=dsweb,app=POST::/central_manager/import DETAIL: Key (uuid)=(xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) already exists.
2016-01-15 15:24:15 UTC [32218]: [3-1] db=dsweb,user=dsweb,app=POST::/central_manager/import STATEMENT: INSERT INTO "public"."notification_alerts" ("alert_time", "importance", "modified_date", "import_id", "endpoint_providers", "notification_string", "time", "appliance_id", "favorite_action_uuid", "parent_id", "old_id", "old_parent_id", "source_ip", "source_port", "source_mac", "destination_ip", "destination_port", "destination_mac", "session_id", "flow_id", "uuid", "name", "description", "match_criteria") VALUES ('2015-11-28 23:14:48+00', 2, '2015-11-28 23:16:44.415307+00', 0, 0, '', '2015-11-28 15:16:44.415307', 2, 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx', NULL, 30938, NULL, '172.22.22.22', 61196, 'xx:xx:xx:xx:xx:xx', '10.10.10.10', 80, 'xx:xx:xx:xx:xx:xx', 2, 14332657183, 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx', '', '', '')
2016-01-15 15:24:15 UTC [32218]: [4-1] db=dsweb,user=dsweb,app=POST::/central_manager/import ERROR: current transaction is aborted, commands ignored until end of transaction block
2016-01-15 15:24:15 UTC [32218]: [5-1] db=dsweb,user=dsweb,app=POST::/central_manager/import STATEMENT: DEALLOCATE pdo_stmt_00001061
Cause
This problem happens when the time between the CMC and Sensor is not synchronized.
Resolution
The quickest solution is to disconnect (via the Web Interface) all sensors from the CMC and then reconnect them. Disconnecting the sensors should cause the CMC to clear that sensor's data (including alerts) from the CMC databases.
When the Sensors are then reconfigured/reconnected, they will resynchronize their individual database tables to the CMC. No data should be lost because the original data on the sensors is not cleared -- only the synchronized data on the CMC should be cleared and then resynchronized.
When the Sensors are then reconfigured/reconnected, they will resynchronize their individual database tables to the CMC. No data should be lost because the original data on the sensors is not cleared -- only the synchronized data on the CMC should be cleared and then resynchronized.
Feedback
Powered by
