| Description |
This article describes that Collector goes into Critical Status due to Buffer exceeding 50MB.
The following upload failure messages are continuously generated in the collector’s /opt/phoenix/log/phoenix.log log file.
2023-05-05T15:25:55.163033-05:00 SIEM-Collector phEventPackager[3152]: [PH_EVT_PACKAGER_FILE_UPLOAD_FAILURE]:[eventSeverity]=PHL_WARNING,[procName]=phEventPackager,[fileName]=phEventPKGProcess.cpp,[lineNumber]=1013,[filePath]=/opt/phoenix/cache/parser/upload/svn/2.2.2.2-Change-instSw-1682826557.ini.scanned,[errorNoInt]=500,[destName]=worker2.siem.demo,[phLogDetail]=Failed to upload event file to worker
2023-05-05T16:26:56.120884-04:00 SIEM-Collector phEventPackager[3152]: [PH_EVT_PACKAGER_FILE_UPLOAD_FAILURE]:[eventSeverity]=PHL_WARNING,[procName]=phEventPackager,[fileName]=phEventPKGProcess.cpp,[lineNumber]=1013,[filePath]=/opt/phoenix/cache/parser/upload/svn/1.1.1.1 -Change-startup-1682804304.ini.scanned,[errorNoInt]=500,[destName]=worker1.siem.demo,[phLogDetail]=Failed to upload event file to worker
|
| Solution |
1) Log in to the supervisor and all workers via SSH. Check if there are any error files (.err) in the following file path:
[root@Super ~]# ls -lah /opt/phoenix/cache/parser/upload/svn/*.err | wc -l
2) If the result from step 1 is greater than 0, delete the svn error files with the command below on the supervisor and all applicable workers.:
[root@Super ~]# rm -rf /opt/phoenix/cache/parser/upload/svn/*.err
3) The upload failure messages should no longer appear on the collectors. After several minutes, the affected collectors will upload their SVN queue and go back to the Normal state:
[root@Super ~]# tail -f /opt/phoenix/log/phoenix.log
|
