search cancel

SIEM Agent goes to Disabled State

book

Article ID: 229407

calendar_today

Updated On:

Products

CASB Audit CASB Advanced Threat Protection CASB Security Advanced CASB Gateway Advanced

Issue/Introduction

SIEM Agent execution does not poll any logs, and the execution fails with a message like:

[[email protected]:/var/log]# grep "ERROR-SIEM" splunk_client.log | head -1
2021-11-16 18:00:01,196-Log_Exporter_Client-ERROR-SIEM Agent in disabled state.
[[email protected]:/var/log]# grep "ERROR-SIEM" splunk_client.log | tail -1
2021-11-29 16:00:01,448-Log_Exporter_Client-ERROR-SIEM Agent in disabled state.

 

Cause

When the SIEM agent gets too many negative responses for any reason it goes into a wait state, which get extended as the agent gets more error responses.

Errors like HTTP 400's or 500's response can cause this, it can be from an intermediary device (like a web proxy) or from the OCS/Cloudsoc

Resolution

Clear the last execution flag by running the agent manually and use the "-c" switch

 

Here is a brief deception of the "-c" switch:

c: is a flag that clears the agent status for the last request it issued to the CloudSOC servers. The agent maintains this status in two files named export_log.lock and last_job.status. It automatically removes these files when it is done. However, if the agent exits abnormally, it does not remove these files. This system ensures that the next time the agent starts, it continues from the point where it left off. When you remove these files, the agent issues a fresh request to the CloudSOC servers.

Additional Information

Here is the article on How to run the agent manually