A collector or collectors that used to work have suddenly stopped sending events.
Are any Statistical Events for the collector showing up in the SSIM UI?
Note that your point product must be attempting to send actual events for this to work. If a firewall doesn't have any traffic to it, there may be nothing in the logs. Similarly, an antivirus server that does not have any clients may not issue any events to the log and therefore falsely appear to be down
For help building queries see this document.
If Statistical events are received for the collector, but no actual events, then the collector is communicating with the SSIM, but the collector is not communicating with the point product. In this case look carefully at the collector configurations for anything that may be causing the issue. See below for 'collector types' for troubleshooting collector configurations. Also look at the collector log files for more detail.
If no statistical events are received then the collector has not communicated with the appliance. The appliance itself may not have connectivity or may not be receiving events. Check the Statistics page on the appliance to see if any events at all are flowing. If no events are flowing to the appliance from any collector, it is probably not a collector issue, it is an issue with the appliance.
See this document for more information about creating collector and sensor configuration.
If you find that the agent is receiving events then you know that all the pieces up to the agent are working correctly so you can focus troubleshooting on the connection between the Agent/Collector and the appliance. If the agent does not receive any events trace backwards to locate the point of failure. techniques for doing this depends on the type of collector you are working with. See below for more detail in tracking these problems down.
Try this if you find that the event service is receiving events but does not forward them. Do not do this on a SSIM appliance.
Check for errors in the sesa-agent.log, and <collector name>
There are 3 main types of collectors:
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
This will clear the history and restart the chat.