SOLVED

MACS Log Collector on RHEL not receiving logs

%3CLINGO-SUB%20id%3D%22lingo-sub-2415520%22%20slang%3D%22en-US%22%3EMACS%20Log%20Collector%20on%20RHEL%20not%20receiving%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2415520%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20I'm%20in%20the%20process%20of%20deploying%20a%20new%20log%20collector%20on%20RHEL%207%2C%20I've%20configured%20it%20in%20the%20MCAS%20portal%20and%20deployed%20the%20docker%20container%2C%20I%20can%20see%20it%20as%20connected%20in%20the%20console%20with%20no%20data%20received.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20I've%20forwarded%20the%20logs%20to%20the%20server%20and%20I%20can%20see%20them%20if%20I%20run%20a%20tcpdump%20on%20the%20REHL%20host%2C%20but%20I'm%20not%20seeing%20anything%20in%20the%20container.%20%3CEM%3E%2Fvar%2Fadallom%2Fsyslog%2Frotated%2F514%2F%3C%2FEM%3E%20only%20contains%20the%20%3CEM%3Econfig.json%3C%2FEM%3E%20file%20and%20%3CEM%3E%2Fvar%2Fadallom%2Fdiscoverylogsbackup%3C%2FEM%3E%20is%20empty%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20I%20can%20see%20if%20the%20container%20is%20receiving%20the%20messages%20and%20why%20it's%20not%20processing%20them%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2415520%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Contributor

Hi I'm in the process of deploying a new log collector on RHEL 7, I've configured it in the MCAS portal and deployed the docker container, I can see it as connected in the console with no data received.

 

Now I've forwarded the logs to the server and I can see them if I run a tcpdump on the REHL host, but I'm not seeing anything in the container. /var/adallom/syslog/rotated/514/ only contains the config.json file and /var/adallom/discoverylogsbackup is empty

 

Is there a way I can see if the container is receiving the messages and why it's not processing them?

2 Replies
Try this first:
https://docs.microsoft.com/en-us/defender-cloud-apps/troubleshooting-cloud-discovery

And contact support if that does not help resolve the issue.
best response confirmed by SimonR (Contributor)
Solution
Having logged a support ticket and had it bounce around for all the same things listed in that link we've eventually discovered a corrupt file in the container. Despite redeploying the container multiple times it appears there was an issue with /etc/rsyslog.d/50-default.conf it was inaccessible to things like vi and cat and appeared to prevent the rsyslog process from working correctly. Running touch on the file appears to have corrected the issue and we are now seeing the messages file being populated as expected.