The SEC is "online", but there are no events in Security Cloud Control Event Logging Page

Symptom: The Secure Event Connector shows "Active" in Security Cloud Control Secure Connectors page but you do not see events in Security Cloud Control Event viewer.

Solution or workaround:

Procedure


Step 1

Login to the VM of the on-premise SDC and as the 'sdc' user. At the prompt, type sudo su - sdc.

Step 2

Perform these checks:

  • Check SEC connector log ( /usr/local/Security Cloud Control/data/<tenantDir>/event_streamer/logs/connector.log ) and ensure the SEC registration was successful. If not, refer issue "Secure Event Connector Registration failure".

  • Check SEC events log( /usr/local/Security Cloud Control/data/<tenantDir>/event_streamer/logs/events-plugin.log ) and ensure that the events are being processed. If not, contact Security Cloud Control support.

  • Log in to SEC docker container and execute the command "supervisorctl -c /opt/cssp/data/conf/supervisord.conf " and ensure the output is as shown below and all processes in RUNNING state. IIf not, contact Security Cloud Control support.

estreamer-connector RUNNING pid 36, uptime 5:25:17

estreamer-cron RUNNING pid 39, uptime 5:25:17

estreamer-plugin RUNNING pid 37, uptime 5:25:17

estreamer-rsyslog RUNNING pid 38, uptime 5:25:17

  • If you have setup SDC manually using a CentOS 7 VM of your own and have the firewall configured to block incoming requests, you could execute the following commands to unblock the UDP and TCP ports:

firewall-cmd --zone=public --add-port=<udp_port>/udp --permanent

firewall-cmd --zone=public --add-port=<tcp_port>/tcp --permanent

firewall-cmd --reload

  • Using Linux network tools of your choice, check if packets are being received on these ports. If not receiving, re-check the FTD logging configuration.

If none of the above repairs work, raise a support ticket with Security Cloud Control support..