ICDx setup to retrieve WSS access logs using the WSS SyncAPI endpoint.
Logs are successfully retrieved most of the time but we noticed that when the WSS Portal undergoes maintenance, the WSS access logs are no longer available until the ICDx Portal is restarted.
Why can't the ICDx collector not handle these WSS Portal maintenance events.
WSS Access logs.
ICDx client stopping WSS collector too aggressively.
ICDx collector algorithm fails when multiple attempts to gather WSS logs within a certain timeframe fail.
No planned changes to ICDx considered as we approach end of life of the product, but two workarounds may be used to handle this use case:
1. Using a monitoring python script that is shipped with the ICDx Application - https://techdocs.broadcom.com/us/en/symantec-security-software/integrated-cyber-defense/integrated-cyber-defense-exchange/1-4-4/Administration/Monitoring-ICDx-Services.html. This can be used to probe state of the ICDx collectors and take action should one fail.
2. Manually add the following script to the ICDx cronjob tasks (run chmod u+x to make it executable first). You can run it hourly for example and should the WSS collector fail when it is executed, the ICDx service will be restarted automatically.
icdx_wss_running=`ps aux |grep wss |grep java`
if [ -z "$icdx_wss_running" ]; then
echo "Restarting ICDx WSS collector: $(date)" >> /tmp/wss_icdx.txt
/usr/sbin/service launcher_dx restart &
echo "ICDx WSS collector still OK!" >> /tmp/wss_icdx.txt