Overview
The load collector is not retrieving Windows events files from a remote collector:
- The transaction logs
<sensage_path>/var/log/collector/transaction-<date>.log
do not show transactions for that remote collector. - The files in the remote collector are pending to load/stuck in the event queue but are not being pulled.
/var/log/messages
in the load collector show anuntar
error on some files in the log queue directory.
Solution
Untar error messages from syslogs indicate that a retriever is dying on some files that are corrupted (possibly due to a truncated file transfer) and is starting over and over. So, the solution is to check the filenames in the error logs and remove those files from the retriever spool directory.
- Check the load collector's
/var/log/messages
and identify the corrupt files that are causing the untarring error:
ERROR [C2701]: <Retriever 'loader_name'> Daisy Chain untar of '/opt/app/sensage/latest/data/collector//queue/microsoft_windows_Events_sensageRetriever/spool/<filename>' to <...> failed exit code '512
...
ERROR [B1400]: <Collector - spawn shepherd> A Retriever or Loader ('loader_name') is no longer functioning properly and has exited with condition 'ERROR [C2701]:
- Locate those corrupt files in the log queue spool directory
/opt/app/sensage/latest/data/collector//queue/microsoft_windows_Events_sensageRetriever/spool/
- Remove the corrupted files from the spool directory.
- Restart the collector.
The files should be retrieved correctly now.
Comments
0 comments
Please sign in to leave a comment.