java.lang.Exception: Error: Invalid bulk event file -- no manifest
search cancel

java.lang.Exception: Error: Invalid bulk event file -- no manifest

book

Article ID: 241699

calendar_today

Updated On:

Products

Data Center Security Server Advanced

Issue/Introduction

When attempting to re-process, into the SCSPDB database, a group of  event files (*.csv) which are compressed in one or many *.zip files-- fails to process. It terminates with an error similar to the following occurred:

SCSP Bulk Event Loader

File Path/Name:      C:\Temp\Events\SISRTEvents28197.zip
Integrity Override:  ON
Destination Table:   CSPEVENT
Database Connection: DEFAULT
Database User:       DEFAULT

Processing events file...
Error loading events:
java.lang.Exception: Error: Invalid bulk event file -- no manifest.
Please be sure the zipfile is an event file.
        at com.symantec.sis.bulkeventloader.FileLoader.process(FileLoader.java:169)
        at com.symantec.sis.bulkeventloader.BulkLoader.processEventFile(BulkLoader.java:505)
        at com.symantec.sis.bulkeventloader.BulkLoader.main(BulkLoader.java:91)
No events processed.

 

Environment

Data Center Security 6.9.1

 

 

Cause

In order for the data loading process to function correctly when processing events en masse--it needs to know the Guid of the computer from which the events came, and match it with a valid asset within the database.  In order for it to do this it needs to be provided with the correct Guid within a file known as the "manifest".

  1. The manifest file is made up of a text file where the name does not matter, but the extension must be .mnf    Example:  Events.mnf
  2. The manifest file has one line. Guid:<computerGuid>      Example:   Guid:CTxu06N4Qre2r9C14PbJOZnKhZ-Laury47+tWVUr7KI*:-76f42c59:17c9cd6c0c7:-7fc6
  3. The manifest file must be added to each zip file containing events needing to be processed again.

Resolution

Steps:

1. Open one of the .csv files compressed in the zip file

2. On the very first line the Guid will be the long series of characters between the 14th and 15th commas. 

Example:  MSOF,0,2015-03-23 06:16:14.000 Z+0530,I,,,,,,,win2k3-r2-simu2,unknown,unknown,windows,hhbzHEFzITfEz0EWTJZvRNPhlewhdihzJaJw8DMmXF4*:-2fe9af7e:14c2c11cb8d:-774f,C:\Program Files (x86)\Symantec\Data Center Security Server\Agent\sdcsslog\SISIDSEvents.csv,,E,6.5.0.355

3. Create a text file:  Events.mnf

4. Open the newly created file and insert the line:  Guid:

5. Next to the "Guid:" heading paste the Guid extracted from 14th position in the .csv file.  Example:   Guid:hhbzHEFzITfEz0EWTJZvRNPhlewhdihzJaJw8DMmXF4*:-2fe9af7e:14c2c11cb8d:-774f

6. Save the manifest file and insert it into each zip file containing event files needing to be processed.   The zip file should contain events from one specific computer, not a mix of computer agents.

NOTE: If you are unsure if the Guid being used is correct or not one of the following SQL queries can be run via SQL Management Studio against SCSPDB

-- Run copy the Guid from the first line of a .csv event file and paste it into the value for the variable @Guid

declare @Guid nvarchar(255) = 'CTxu06N4Qre2r9C14PbJOZnKhZ-Laury47+tWVUr7KI*:-76f42c59:17c9cd6c0c7:-7fc6'

select  Hostname, IPAddress, OSType, OSVersion, AgentAge, LastAppRequestDate
from ASSET_VW
where Guid = @Guid

 

If the above query returns nothing or if it returns the name of a computer not expected you can look up the current operating Guid for the computer by plugging the computer's name into the following query and running it against the database:

 

declare @computerName nvarchar(50) = 'Gollum'

select  Hostname, IPAddress, OSType, OSVersion, AgentAge, LastAppRequestDate, Guid
from ASSET_VW
where Hostname = @computerName

Sample Results:

Attachments

Powered by Wolken Software