The load collector is not retrieving Windows events files from a remote collector:
- The transaction logs
<sensage_path>/var/log/collector/transaction-<date>.logdo not show transactions for that remote collector.
- The files in the remote collector are pending to load/stuck in the event queue but are not being pulled.
/var/log/messagesin the load collector show an
untarerror on some files in the log queue directory.
Untar error messages from syslogs indicate that a retriever is dying on some files that are corrupted (possibly due to a truncated file transfer) and is starting over and over. So, the solution is to check the filenames in the error logs and remove those files from the retriever spool directory.
- Check the load collector's
/var/log/messagesand identify the corrupt files that are causing the untarring error:
ERROR [C2701]: <Retriever 'loader_name'> Daisy Chain untar of '/opt/app/sensage/latest/data/collector//queue/microsoft_windows_Events_sensageRetriever/spool/<filename>' to <...> failed exit code '512
ERROR [B1400]: <Collector - spawn shepherd> A Retriever or Loader ('loader_name') is no longer functioning properly and has exited with condition 'ERROR [C2701]:
- Locate those corrupt files in the log queue spool directory
- Remove the corrupted files from the spool directory.
- Restart the collector.
The files should be retrieved correctly now.