Activity logs show No results

book

Article ID: 171756

calendar_today

Updated On:

Products

Web Isolation

Issue/Introduction

Activity logs are empty.

Resolution

  1. Check whether the report server is defined and its status is "OK" under Reports --> Report Servers
    1. If there is no report server defined - verify that report server was installed (via ci_infra/report_server/install.sh) and add it.
    2. If the machine is single-boxed, set the IP to 169.254.0.1.If the machine is defined but the status isn't "OK", verify networking to the machine and see the status of the report server docker.
  2. Check whether activity logs are generated on the machines by running tail -f /var/log/fireglass_activity.log.
    1. Every gateway (Proxy/TIE) generates its own fireglass_activity.log file and it is then transferred to the report server.
  3. Check the time on the client machine that is connected to the MGMT UI.
    1. The query that we send to the elasticsearch is derived from the time of the machine + the time period defined in the UI (Last X days/hours).If the machine is X minutes behind, the logs in the past X minutes will not be shown.
  4. See if there is an ArcSight log forwarding (in management - under Log Forwarding).
    1. Try deleting the ArcSight server, push settings and see if there are logs.
  5. Find the logstash container (docker ps | grep logstash) in the management gateway.
    1. Inside the container (docker exec -it CONTAINER_ID bash) - view logstash' logs under /var/log/logstash/stdout.log
    2. It should give you a hint what's wrong.
  6. If you see in logstash stdout.log 'wrong password' - we need to find which redis server is fail to connect.
    1. Take a script called "troubleshoot_logstash_redis_config.js" under   ci_infra/debug_scripts.
    2. Run it with logstash configuration and see which Redis server fails to connect.