Security Analytics Central Manager (CMC) does not display for Alerts, Summary, Total Alerts By Sensor

Article Id: 168938

Status: Published

Updated On: 13-05-2017 12:10

Legacy Id: TECH245707

Products:

Security Analytics

Issue/Introduction:

This problem happens when the time between the CMC and Sensor is not synchronized.

The following can be observed from the postgresql.log file :

2016-01-15 15:24:15 UTC [32218]: [1-1] db=dsweb,user=dsweb,app=POST::/central_manager/import ERROR: duplicate key value violates unique constraint "notification_alerts_pkey"
2016-01-15 15:24:15 UTC [32218]: [2-1] db=dsweb,user=dsweb,app=POST::/central_manager/import DETAIL: Key (uuid)=(xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) already exists.
2016-01-15 15:24:15 UTC [32218]: [3-1] db=dsweb,user=dsweb,app=POST::/central_manager/import STATEMENT: INSERT INTO "public"."notification_alerts" ("alert_time", "importance", "modified_date", "import_id", "endpoint_providers", "notification_string", "time", "appliance_id", "favorite_action_uuid", "parent_id", "old_id", "old_parent_id", "source_ip", "source_port", "source_mac", "destination_ip", "destination_port", "destination_mac", "session_id", "flow_id", "uuid", "name", "description", "match_criteria") VALUES ('2015-11-28 23:14:48+00', 2, '2015-11-28 23:16:44.415307+00', 0, 0, '', '2015-11-28 15:16:44.415307', 2, 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx', NULL, 30938, NULL, '172.22.22.22', 61196, 'xx:xx:xx:xx:xx:xx', '10.10.10.10', 80, 'xx:xx:xx:xx:xx:xx', 2, 14332657183, 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx', '', '', '')
2016-01-15 15:24:15 UTC [32218]: [4-1] db=dsweb,user=dsweb,app=POST::/central_manager/import ERROR: current transaction is aborted, commands ignored until end of transaction block
2016-01-15 15:24:15 UTC [32218]: [5-1] db=dsweb,user=dsweb,app=POST::/central_manager/import STATEMENT: DEALLOCATE pdo_stmt_00001061

Cause:

This problem happens when the time between the CMC and Sensor is not synchronized.

Resolution:

The quickest solution is to disconnect (via the Web Interface) all sensors from the CMC and then reconnect them. Disconnecting the sensors should cause the CMC to clear that sensor's data (including alerts) from the CMC databases.

When the Sensors are then reconfigured/reconnected, they will resynchronize their individual database tables to the CMC. No data should be lost because the original data on the sensors is not cleared -- only the synchronized data on the CMC should be cleared and then resynchronized.