mikepalitto
commented
1 year ago Just had a client running fine with old version. We upgraded to 5.2.6 with retrieving only Packet logs from FMC. We are missing a lot of logs we used to see.
Closed beirne-arcsight closed 1 year ago
mikepalitto
commented
1 year ago Just had a client running fine with old version. We upgraded to 5.2.6 with retrieving only Packet logs from FMC. We are missing a lot of logs we used to see.
beirne-arcsight
commented
1 year ago We got it working in the end. I needed to make some configuration changes, as documented in the guide.
The big thing was to reduce the batch size. I had never set it so it was at the default of 100 events. The events don't come down until the batch is full, so we were thinking nothing was coming down while waiting for the batch. We reduced it to two and now the wait is minimal.
We also reduced the worker count from 4 to 1. This simplified things and 1 was all we needed for our event flow.
beirne-arcsight
commented
1 year ago With things working as described in the comment I just made I'll close the issue.
mikepalitto
commented
1 year ago We tried some adjustments to both the Worker count and the batch size still only a small amount of logs which are only PKT logs. Again, we had been running find until FMC was upgraded to 7.2.4. We are running on Redhat. To get this to work prior we had to set RUA to FALSE. Output module is streaming data to tcp://127.0.0.1:514
2023-07-26 06:56:09,243 Monitor INFO Running. 15396 handled; average rate 0.33 ev/sec; 2023-07-26 06:58:07,761 Monitor INFO Running. 15464 handled; average rate 0.33 ev/sec; 2023-07-26 07:00:07,949 Monitor INFO Running. 15542 handled; average rate 0.33 ev/sec; 2023-07-26 07:02:07,432 Monitor INFO Running. 15644 handled; average rate 0.33 ev/sec; 2023-07-26 07:04:07,916 Monitor INFO Running. 15758 handled; average rate 0.33 ev/sec; 2023-07-26 07:06:10,911 Monitor INFO Running. 15884 handled; average rate 0.33 ev/sec; 2023-07-26 07:08:08,097 Monitor INFO Running. 15986 handled; average rate 0.34 ev/sec; 2023-07-26 07:10:08,475 Monitor INFO Running. 16062 handled; average rate 0.34 ev/sec; 2023-07-26 07:12:07,314 Monitor INFO Running. 16152 handled; average rate 0.34 ev/sec; 2023-07-26 07:14:09,565 Monitor INFO Running. 16238 handled; average rate 0.34 ev/sec;
Seems like data is being retrieved but not all going to output.
mikepalitto
commented
1 year ago Do we open a new thread?
We had version 5.1.6 of the script running fine with FMC 7.0.x. We then upgraded FMC to 7.2.4 and the script quit working. We upgraded estreamer to 5.2.6, which I see includes a cef fix for FMC 7.2. With TRACE logging set we can see events coming in, but the cef events we have configured never leave the estreamer script. We are using the same configuration that worked for months with 5.1.6.