log collector fails to upload Fortinet logs | MCAS

Copper Contributor

MCAS never received any logs from on prem collectorMCAS never received any logs from on prem collector

 

Messages under "/var/adallom/syslog/rotated/514/" fails to be uploaded. Added error log below. It says message files are locked and files are not uploaded.

 

Posting here for expert advice. Thanks in advance!

Log collector status:

General information:
Files uploaded: 0
Status: OK
Up since: 2024-01-30 08:04:00
Last configured: 2024-01-30 08:03:58
Last connected to portal: 2024-01-30 08:50:19
Disk use: Used 5%, available 344G/361G

Data sources:
Name: Forti_UDP
Last log received: Not yet received
Number of logs received: 8

Error Log: 

2024-01-30 08:49:15.824 ERROR c.a.c.c.DirectoryMonitorFileProcessor DirectoryMonitorFileProcessor - messages-2024-01-30-35-1706603701 - Exception in DirectoryMonitorFileProcessor for file '/var/adallom/syslog/rotated/514/messages-2024-01-30-35-1706603701'
java.lang.RuntimeException: Waiting too long for file to be unlocked
at com.adallom.columbus.collectors.DirectoryMonitorFileProcessor.waitOnLockedFile(DirectoryMonitorFileProcessor.java:226)
at com.adallom.columbus.collectors.DirectoryMonitorFileProcessor.internalRun(DirectoryMonitorFileProcessor.java:90)
at com.adallom.columbus.utils.NamedRunnable.run(NamedRunnable.java:14)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:750)
2024-01-30 08:49:18.342 WARN o.a.h.c.p.ResponseProcessCookies DirectoryMonitor - /var/adallom/syslog/rotated - Invalid cookie header: "Set-Cookie: cas_sessionid=b35nyptc8li28xi7fumpo0d3azuto9ic; Domain=.us3.portal.cloudappsecurity.com; expires=Tue, 30 Jan 2024 09:49:18 GMT; HttpOnly; Max-Age=3600; Path=/; Secure". Invalid 'expires' attribute: Tue, 30 Jan 2024 09:49:18 GMT
2024-01-30 08:49:18.343 INFO c.a.c.collectors.DirectoryMonitor DirectoryMonitor - /var/adallom/syslog/rotated - Processing new file '/var/adallom/syslog/rotated/514/messages-2024-01-30-35-1706603701'
2024-01-30 08:49:18.913 WARN o.a.h.c.p.ResponseProcessCookies DirectoryMonitor - /var/adallom/ftp/discovery - Invalid cookie header: "Set-Cookie: cas_sessionid=tivwq8cem6txpmyhhxqbufyrc82b3oe9; Domain=.us3.portal.cloudappsecurity.com; expires=Tue, 30 Jan 2024 09:49:18 GMT; HttpOnly; Max-Age=3600; Path=/; Secure". Invalid 'expires' attribute: Tue, 30 Jan 2024 09:49:18 GMT
2024-01-30 08:49:26.106 WARN c.a.c.c.DirectoryMonitorFileProcessor DirectoryMonitorFileProcessor - messages-2024-01-30-15-1706602501 - Timeout waiting for lsof command on file '/var/adallom/syslog/rotated/514/messages-2024-01-30-15-1706602501', assuming it is locked

 

Messages under Rotated directory:

root@<>:/var/adallom/syslog/rotated/514# ls -lh
total 8.5G
-rw-r--r--. 1 root root 122 Jan 30 09:18 config.json
-rw-r-----. 1 root adm 615M Jan 30 09:00 messages-2024-01-30-00-1706605201
-rw-r-----. 1 root adm 126M Jan 30 08:05 messages-2024-01-30-05-1706601901
-rw-r-----. 1 root adm 636M Jan 30 09:05 messages-2024-01-30-05-1706605501
-rw-r-----. 1 root adm 623M Jan 30 08:10 messages-2024-01-30-10-1706602201
-rw-r-----. 1 root adm 619M Jan 30 09:10 messages-2024-01-30-10-1706605801
-rw-r-----. 1 root adm 593M Jan 30 08:15 messages-2024-01-30-15-1706602501
-rw-r-----. 1 root adm 601M Jan 30 09:15 messages-2024-01-30-15-1706606101
-rw-r-----. 1 root adm 585M Jan 30 08:20 messages-2024-01-30-20-1706602801
-rw-r-----. 1 root adm 600M Jan 30 08:25 messages-2024-01-30-25-1706603101
-rw-r-----. 1 root adm 600M Jan 30 08:30 messages-2024-01-30-30-1706603402
-rw-r-----. 1 root adm 614M Jan 30 08:35 messages-2024-01-30-35-1706603701
-rw-r-----. 1 root adm 629M Jan 30 08:40 messages-2024-01-30-40-1706604001
-rw-r-----. 1 root adm 620M Jan 30 08:45 messages-2024-01-30-45-1706604301
-rw-r-----. 1 root adm 594M Jan 30 08:50 messages-2024-01-30-50-1706604601
-rw-r-----. 1 root adm 611M Jan 30 08:55 messages-2024-01-30-55-1706604901

1 Reply

@svangimalla 

Hello, how are you ? Was there any progress in this case, were you able to resolve it?