On a detection server running FileReader, you observe that although it appears to be processing messages, no incidents are generated. In the ContentExtractionHost_FileReader log you see the following events:
04/07/21 09:18:47 | ERROR | cehost | Verity  |  | Failed to create temporary directory. Last Error: No such file or directory | ../Platform.c (103)
04/07/21 09:18:47 | ERROR | cehost | Verity  |  | Could not initialize the Verity CEA plugin: Failed to create temporary directory | src/VerityImplInternal.c (153)
04/07/21 09:18:47 | WARN | cehost | CEPluginManager  |  | Failed to load Verity. Error: Plugin Startup - Initialization of plugin Verity failed. retVal = 1, context = 0. Skipping this plugin | CEPluginManager.cpp (252)
This issue can occur on Linux based detection server when the disk that CEH (ContentExtractionHost) is using to extract files to runs out of space. This may happen due to limited drive space and high volume of large files.
It may also happen if CEH has crashed while extracting files and tmp files are left behind and not cleaned out.
When the disk is out of space and temporary files can no longer be created, FileReader continues to process messages, but because all extraction fails, no real detection takes place.
This can be caused by multiple issues:
If you see the following messages verify there are multiple Enforce servers:
May 9, 2022 3:41:49 AM com.vontu.communication.transport.ChannelManager handleOperationSuccess
WARNING: Replaced connection for: controller-server and the remote IP for the old connection is: /192.168.1.50. There might be another client connecting to this channel.