Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

CEF Log forwarding stopped after disk was full

Copper Contributor

Hi there,

 

So the disk got full on my log forwarder server and log forwarding stopped... I expanded the disk and now it has enough space:

szkoszegi666_0-1661434439467.png

 

However, I cannot see any new events in CommonSecurityLog table since then. I went ahead and reinstalled the OMS agent, but it still doesn't work. There are no heartbeat events either so I guess the problem will be with the OMS agent. The funny thing is that Syslog messages are arriving to Sentinel... When I run the troubleshooter everything is fine except:

Validating the CEF\ASA logs are received and are in the correct format when received by syslog daemon
sudo tac /var/log/syslog
Located 0
CEF\ASA messages

 

But if I run tac /var/log/messages |grep CEF I can see the CEF messages.

 

I ran netstat/tcpdump and messages are do hitting port 25226.

szkoszegi666_1-1661434942164.png

 

Any help would be appreciated.

 

Thanks

 

 

2 Replies
Update: I reinstalled OMS again, rebooted the box and now it's working.
Hi @szkoszegi666
Could you by any chance share the actual commands used to reinstall the OMS??

BR.
Kenneth ML