Security Analytics Central Manager (CMC) does not display for Alerts, Summary, Total Alerts By Sensor

book

Article ID: 168938

calendar_today

Updated On:

Products

Security Analytics

Issue/Introduction

This problem happens when the time between the CMC and Sensor is not synchronized.

The following can be observed from the postgresql.log file :
2016-01-15 15:24:15 UTC [32218]: [1-1] db=dsweb,user=dsweb,app=POST::/central_manager/import ERROR: duplicate key value violates unique constraint "notification_alerts_pkey"
2016-01-15 15:24:15 UTC [32218]: [2-1] db=dsweb,user=dsweb,app=POST::/central_manager/import DETAIL: Key (uuid)=(xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) already exists.
2016-01-15 15:24:15 UTC [32218]: [3-1] db=dsweb,user=dsweb,app=POST::/central_manager/import STATEMENT: INSERT INTO "public"."notification_alerts" ("alert_time", "importance", "modified_date", "import_id", "endpoint_providers", "notification_string", "time", "appliance_id", "favorite_action_uuid", "parent_id", "old_id", "old_parent_id", "source_ip", "source_port", "source_mac", "destination_ip", "destination_port", "destination_mac", "session_id", "flow_id", "uuid", "name", "description", "match_criteria") VALUES ('2015-11-28 23:14:48+00', 2, '2015-11-28 23:16:44.415307+00', 0, 0, '', '2015-11-28 15:16:44.415307', 2, 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx', NULL, 30938, NULL, '172.22.22.22', 61196, 'xx:xx:xx:xx:xx:xx', '10.10.10.10', 80, 'xx:xx:xx:xx:xx:xx', 2, 14332657183, 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx', '', '', '')
2016-01-15 15:24:15 UTC [32218]: [4-1] db=dsweb,user=dsweb,app=POST::/central_manager/import ERROR: current transaction is aborted, commands ignored until end of transaction block
2016-01-15 15:24:15 UTC [32218]: [5-1] db=dsweb,user=dsweb,app=POST::/central_manager/import STATEMENT: DEALLOCATE pdo_stmt_00001061

 

Cause

This problem happens when the time between the CMC and Sensor is not synchronized.

Resolution

The quickest solution is to disconnect (via the Web Interface) all sensors from the CMC and then reconnect them. Disconnecting the sensors should cause the CMC to clear that sensor's data (including alerts) from the CMC databases.

When the Sensors are then reconfigured/reconnected, they will resynchronize their individual database tables to the CMC. No data should be lost because the original data on the sensors is not cleared -- only the synchronized data on the CMC should be cleared and then resynchronized.