CEF Log forwarding stopped after disk was full

Occasional Contributor

Hi there,

 

So the disk got full on my log forwarder server and log forwarding stopped... I expanded the disk and now it has enough space:

szkoszegi666_0-1661434439467.png

 

However, I cannot see any new events in CommonSecurityLog table since then. I went ahead and reinstalled the OMS agent, but it still doesn't work. There are no heartbeat events either so I guess the problem will be with the OMS agent. The funny thing is that Syslog messages are arriving to Sentinel... When I run the troubleshooter everything is fine except:

Validating the CEF\ASA logs are received and are in the correct format when received by syslog daemon
sudo tac /var/log/syslog
Located 0
CEF\ASA messages

 

But if I run tac /var/log/messages |grep CEF I can see the CEF messages.

 

I ran netstat/tcpdump and messages are do hitting port 25226.

szkoszegi666_1-1661434942164.png

 

Any help would be appreciated.

 

Thanks

 

 

1 Reply
Update: I reinstalled OMS again, rebooted the box and now it's working.