Increasing the Event Queue on the Data Center Security Server Advanced Agent if the collector continues to get full
search cancel

Increasing the Event Queue on the Data Center Security Server Advanced Agent if the collector continues to get full

book

Article ID: 231728

calendar_today

Updated On:

Products

Data Center Security Server Advanced

Issue/Introduction

Possible Error Received:

STATUS:  2022-01-02 07:56:12.000 Z-0600 Filewatch Collector FWC_0033: File Collector configuration finalized: 6891 watched files 2 watched log files. Total number of files is: 6893. The File Collector files limit is: 25(k).
ERROR:   2022-01-02 07:56:42.000 Z-0600 Registry Collector RC_0013: Registry collector queue is full.  Events were lost.  Increase the queue size to avoid losing events.

Environment

Data Center Security Server Windows and Linux's Agents 6.8.2 + 

Cause

This happens when the agent is trying to process more events than the queue allows. The default queue size is 5000 events.

Resolution

Windows
1. Set a null policy
Open an Admin Level cmd line and run the following: (sisipsconfig -r)

2. Open an Admin level cmd line and stop Agent services
sisservicectrl stop sisidsservice
sisservicectrl stop sisipsservice
sisservicectrl stop sisipsutil

3. Open the LocalAgent.ini
C:\Program Files (x86)\Symantec\Data Center Security Server\Agent\IDS\system\LocalAgent.ini
Find the queue you want to increase
Uncomment the Collector and increase the the queue size you would like and save the file.
[Event Management]
#Event Log File=event.log
#Append To File Size(KB)=20480    #Minimum value is 5120
#Append To File Backups=10    #Minimum value is 1
#Error Log File Size(KB)=5120    #Minimum value is 2048
#Error Log File Backups=10    #Minimum value is 1
#File Collector Events Limit=5000   #Minimum value is 100
Registry Collector Events Limit=5000   #Minimum value is 100 (Default is 5000, try increasing to 8000)
#Event Log Collector Events Limit=5000   #Minimum value is 100
#Event Processing Queue Limit=15000   #Minimum value is 1000
#Syslog Collector Events Limit=5000   #Minimum value is 100
#Syslog Collector Syslog Lines Limit=5000  #Minimum value is 100
#Wtmp Collector Events Limit=5000   #Minimum value is 100
#C2 Collector Events Limit=1000    #Minimum value is 100
#IPS Driver Collector Events Limit=5000   #Minimum value is 100
#Plugin Collector Events Limit=5000   #Minimum value is 100
#Error Log Message Events Limit=5000   #Minimum value is 100
#Execute Commands Action Limit=1000   #Minimum value is 100
#Disable Account Action Limit=1000   #Minimum value is 100
#Notify Action Limit=1000    #Minimum value is 100
#Kill Process Action Limit=1000    #Minimum value is 100
#Kill Session Action Limit=1000    #Minimum value is 100
#Send Titanium File Info=false    #Not send by default

4. Restart the Agent services
sisservicectrl start sisidsservice
sisservicectrl start sisipsservice
sisservicectrl start sisipsutil

5. Reset your policy (sisipsconfig -s)

Monitor to see if the issue reoccurs 

Linux
1. set a null policy
su - sisips
./sisipsconfig.sh -r

2. Stop agent services (depending on agent version you may not have sisamddaemon)
service sisipsagent stop
service sisidsagent stop
service sisipsutil stop
service sisamddaemon stop

3. Open the LocalAgent.ini and uncomment the collector you want to change from default and change the value.
vi /opt/Symantec/sdcssagent/IDS/system/LocalAgent.ini
Save the file
wq! 

4. Restart the services
service sisipsagent start
service sisidsagent start
service sisipsutil start
service sisamddaemon start

5. Reset the policy
su - sisips
./sisipsconfig.sh -s

Monitor to see the issue reoccurs

 

Powered by Wolken Software