Data Center Security Agents are not sending events to the DCS Manager

book

Article ID: 223531

calendar_today

Updated On:

Products

Data Center Security Server Advanced Data Center Security Server

Issue/Introduction

When you notice that the Manager is not receiving any events from the DCS agent and you see that the events are queuing up on the agent follow this article to resolve.

 

Cause

This is caused by a stuck pointer file that is looking to send an old event CSV that doesn't exist or was already sent and then the file wasn't updated.

Environment

Release : 6.8.x +

Resolution

Collect the agent logs
From the log bundle open the /var/log/sdcsslog/IPS/hidslog1rtfilepointer file in notepad to see what SISRTEvents*.csv is trying to be sent to the Manager.
Navigate to /var/log/sdcsslog location to see if you have an abundance of SISIDSEvents*.csv files and verify if the .csv file from the hidslog1rtfilepointer is stuck on an old file.

If it appears to be stuck on an old .csv file then move forward to the resolution below.

 

Windows Agents:

1. Stop the services from an Admin level cmd prompt.

sisservicectrl stop sisidsservice

sisservicectrl stop sisipsservice

sisservicectrl stop sisipsutil

2. Delete the pointer file /opt/Symantec/sdcssagent/IPS/hidslog1rtfilepointer

3. Restart the services

sisservicectrl start sisidsservice

sisservicectrl start sisipsservice

sisservicectrl start sisipsutil

 

Linux Agents:

1. Stop the services
systemctl stop sisipsdaemon sisidsdaemon
2. Delete the pointer file
rm -f  /opt/Symantec/sdcssagent/IPS/hidslog1rtfilepointer*
3. Start the services
systemctl start sisidsdaemon sisipsdaemon

Check the Manager to see if events are being sent.