ICDx setup to retrieve Cloud SWG access logs using the Cloud SWG SyncAPI endpoint.

Logs are successfully retrieved most of the time but we noticed that when the Cloud SWG Portal undergoes maintenance, the Cloud SWG access logs are no longer available until the ICDx Portal is restarted.

Why can't the ICDx collector not handle these Cloud SWG Portal maintenance events?

ICDx.

SyncAPI endpoint.

Cloud SWG Access logs.

ICDx client stopping Cloud SWG collector too aggressively.

ICDx collector algorithm fails when multiple attempts to gather Cloud SWG logs within a certain timeframe fails.

No planned changes to ICDx considered as we approach end of life of the product, but two workarounds may be used to handle this use case:

1.  Using a monitoring python script that is shipped with the ICDx Application - https://techdocs.broadcom.com/us/en/symantec-security-software/integrated-cyber-defense/integrated-cyber-defense-exchange/1-4-4/Administration/Monitoring-ICDx-Services.html. This can be used to probe state of the ICDx collectors and take action should one fail.

2. Manually add the following script to the ICDx cronjob tasks (run chmod u+x to make it executable first). You can run it hourly for example and should the Cloud SWG collector fail when it is executed, the ICDx service will be restarted automatically.

icdx_wss_running=`ps aux |grep wss |grep java`
if [ -z "$icdx_wss_running" ]; then
    echo "Restarting ICDx WSS collector:     $(date)" >> /tmp/wss_icdx.txt
   /usr/sbin/service launcher_dx restart &
else
    echo "ICDx WSS collector still OK!" >> /tmp/wss_icdx.txt
fi