App Control: Syslog Fails with Reporter Error "SyslogGetEvents - Log level must be defined"
search cancel

App Control: Syslog Fails with Reporter Error "SyslogGetEvents - Log level must be defined"

book

Article ID: 290291

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • "SyslogGetEvents" task keeps erroring out on the Support.php > Scheduled Tasks page
  • the following error is reported in the Reporter.log file:
ERROR DatabaseConnectionWrapper - Database task exception: SyslogGetEvents - Log level must be defined
WARN DatabaseConnectionWrapper - System.InvalidOperationException: Log level must be defined

Environment

  • App Control Server: All Supported Versions

Cause

  • Error occurs when the "Priority" column of an incoming event is outside the expected range of 0 to 7
  • Corrupt agents sending erroneous event data

Resolution

The following workaround is available until a permanent fix is released:
  1. Ensure there is a recent DB backup
  2. Stop the App Control Reporter Service
  3. Open SQL Mgmt Studio > Das > Programmability > Stored Procedures > Right click the "SyslogGetEvents" > Modify
  4. Find the following line:  
    priority_id as priority,
  5. Comment it out and replace it with the following line: 
    --priority_id as priority,
CASE WHEN (priority_id >=0 AND priority_id <=7) THEN priority_id ELSE 0 END as priority,
  6. Execute the script to update the procedure
  7. Start the App Control Reporter Service
  8. To check for corrupted agents that are sending events with invalid "Priority" data use the following SQL query: 
    use das; select Source from dbo.EventsGUI(1033) where priority_id < 0 or priority_id > 7 group by Source

Additional Information

This issue is tracked as EP-15124 and is scheduled for resolution in the upcoming 8.9 server version
Powered by Wolken Software