Verifying LCS agent is obtaining login information and sending data

book

Article ID: 171299

calendar_today

Updated On:

Products

Security Analytics

Issue/Introduction

Would like to find out if the Live/Office Communications Server (LCS) agent is actually getting the login information and is actually trying to send data ?

Which log shall we refer to?

Resolution

DomainLogonWatcher.log is the only "DC side" log file.

On the SA (Security Analytics), you might want to check for an established connection from LCS to the SA's adlistenerd task:

[email protected] ~]# lsof -n -P -p $(pidof adlistenerd) | grep ESTABLISHED
adlistene 9876 root 17u IPv6 18508 0t0 TCP 10.131.40.55:8843->10.131.41.244:59848 (ESTABLISHED)

Check for traffic between LCS and adlistenerd with tcpdump:
[[email protected] ~]# tcpdump -n -s 0 -i eth0 tcp port 8843
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:07:49.167075 IP 10.131.41.244.59848 > 10.131.40.55.8843: P 2740031930:2740032004(74) ack 4123130458 win 251
13:07:49.167269 IP 10.131.41.244.59848 > 10.131.40.55.8843: P 74:148(74) ack 1 win 251
13:07:49.167286 IP 10.131.40.55.8843 > 10.131.41.244.59848: . ack 148 win 330
13:07:49.167416 IP 10.131.41.244.59848 > 10.131.40.55.8843: P 148:222(74) ack 1 win 251
13:07:49.167612 IP 10.131.41.244.59848 > 10.131.40.55.8843: P 222:328(106) ack 1 win 251
13:07:49.167625 IP 10.131.40.55.8843 > 10.131.41.244.59848: . ack 328 win 330
13:07:49.167671 IP 10.131.40.55.8843 > 10.131.41.244.59848: P 1:91(90) ack 328 win 330

Prod adlistenerd into dumping some stats by sending it signal USR2:
[[email protected] ~]# kill -USR2 $(pidof adlistenerd)

... after which lines like these will then appear in /var/log/messages: 
Mar 21 13:16:04 SA /usr/sbin/adlistenerd[9876]: Received SIGUSR2 
Mar 21 13:16:04 SA proxysg handled_events_count = 0, ip_user_cache_hits = 0, ip_user_cache_misses = 0, user_memcache_hits = 0, user_memcache_misses= 0, delayed events = 0, Number of users in cache = 0, number of items in expiry list = 0, Number of events in last min = 0
Mar 21 13:16:04 SA /usr/sbin/adlistenerd[9876]: Number of threads = 2
Mar 21 13:16:04 SA Number of servlets in pool [0] = 0
Mar 21 13:16:04 SA Number of servlets in pool [1] = 0
Mar 21 13:16:04 SA /usr/sbin/adlistenerd[9876]: 1 clients connected
Mar 21 13:16:04 SA /usr/sbin/adlistenerd[9876]: ***x---
Mar 21 13:16:04 SA /usr/sbin/adlistenerd[9876]: Client connected from ::ffff:10.131.41.244:59848 to instance 0x6ef1a0
Mar 21 13:16:04 SA /usr/sbin/adlistenerd[9876]: ADC Servlet 0x6ef1a0
Mar 21 13:16:04 SA total events handled = 41417 logon events handled = 17 logoff events handled = 0
Mar 21 13:16:04 SA /usr/sbin/adlistenerd[9876]: ---x---

Finally, see SA's Settings->Security->Login Correlation Service, where you'll see a checkbox labeled "Allow All Agent IPs". the box is ticked/enabled on the SA, SA from which the above troubleshooting examples were taken.