Check whether the report server is defined and its status is "OK" under Reports --> Report Servers
If there is no report server defined - verify that report server was installed (via ci_infra/report_server/install.sh) and add it.
If the machine is single-boxed, set the IP to 169.254.0.1.If the machine is defined but the status isn't "OK", verify networking to the machine and see the status of the report server docker.
Check whether activity logs are generated on the machines by running tail -f /var/log/fireglass_activity.log.
Every gateway (Proxy/TIE) generates its own fireglass_activity.log file and it is then transferred to the report server.
Check the time on the client machine that is connected to the MGMT UI.
The query that we send to the elasticsearch is derived from the time of the machine + the time period defined in the UI (Last X days/hours).If the machine is X minutes behind, the logs in the past X minutes will not be shown.
See if there is an ArcSight log forwarding (in management - under Log Forwarding).
Try deleting the ArcSight server, push settings and see if there are logs.
Find the logstash container (docker ps | grep logstash) in the management gateway.
Inside the container (docker exec -it CONTAINER_ID bash) - view logstash' logs under /var/log/logstash/stdout.log
It should give you a hint what's wrong.
If you see in logstash stdout.log 'wrong password' - we need to find which redis server is fail to connect.
Take a script called "troubleshoot_logstash_redis_config.js" under ci_infra/debug_scripts.
Run it with logstash configuration and see which Redis server fails to connect.