The Event Archive is missing
search cancel

The Event Archive is missing

book

Article ID: 177377

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction

The Event Archive is missing.

Symptoms
Symantec Security Information Manager (SSIM) does not collect any events.


Queries that you run show that either there are no events, or all the events are very old.
In the SSIM console go to Statistics.
Notice that Event Archive Data is not present in the Database Space area and the Event Service tab is also gone.



When you run df -k from the Linux prompt, it is likely to show an event archive partition called "/eventarchive" that is partially used. If you explore the event archive partition that is on the local drive you may find old events, but no new events.


 

Cause

This can happen when an external storage device was at one time connected, and is now disconnected.

Resolution

The best way to solve this problem is to reconnect the external storage device.

If you are not sure if an attached storage devices was connected, this Knowledge Base document helps you find out.

How to detect that an external storage device is connected to the SSIM:
 

    1. Connect to the appliance with an SSH client and login as db2admin.
    2. Go to the archives directory with this command: cd /opt/Symantec/simserver/simcm/archives
    3. List the contents of the directory with this command: ls
    4. If you see more than one DefaultArchive.cfg then an external storage device was setup on thei sppliance.
    5. View the path for the current archive configuration with the command: cat DefaultArchive.cfg

Note: The "Location" tag indicates the path to the currently active event archive, "/eventarchive" is the default setting.

To restore the function of collecting events to the local drive, you can try replacing the existing default archive configuration file with the old one that has the default setup.

To do so:

    1. Change users to root with the commad: su -
      Type the correc password when prompted.
    2. Run the command: service sesagentd stop
    3. Run the command: service sesevents stop
    4. Rename the current file with the command: mv DefaultArchive.cfg DefaultArchive.Old
    5. Rename the old DefaultArchive file to be the active one with the command:

      cp <the name of the archive file with default settings> DefaultArchive.cfg
       
    6. Run the command: service sesevents start
    7. Run the command: service sesagentd start


If this does not work, restart the appliance.

If that does not work you must reinstall the SSIM following instructions in the Installation Guide:
SSIM 4.5 Installation Guide




Technical Information
In SSIM 4.5 a local event archive will always be created. If an external storage device is connected at a later time, then disconnected it is difficult to determine that the external device ever existed.

When connected the initialization script will detect an external device and configure the event archive on that external device. If that device is then disconnected the mount point for the event archive is invalid and the event archive does not appear in the SSIM console.

 


Powered by Wolken Software