Troubleshooting Tip: Collector cannot upload SVN files

Juancacst · ‎05-16-2023

Description

This article describes that Collector goes into Critical Status due to Buffer exceeding 50MB.

The following upload failure messages are continuously generated in the collector’s /opt/phoenix/log/phoenix.log log file.

2023-05-05T15:25:55.163033-05:00 SIEM-Collector phEventPackager[3152]: [PH_EVT_PACKAGER_FILE_UPLOAD_FAILURE]:[eventSeverity]=PHL_WARNING,[procName]=phEventPackager,[fileName]=phEventPKGProcess.cpp,[lineNumber]=1013,[filePath]=/opt/phoenix/cache/parser/upload/svn/2.2.2.2-Change-instSw-1682826557.ini.scanned,[errorNoInt]=500,[destName]=worker2.siem.demo,[phLogDetail]=Failed to upload event file to worker

2023-05-05T16:26:56.120884-04:00 SIEM-Collector phEventPackager[3152]: [PH_EVT_PACKAGER_FILE_UPLOAD_FAILURE]:[eventSeverity]=PHL_WARNING,[procName]=phEventPackager,[fileName]=phEventPKGProcess.cpp,[lineNumber]=1013,[filePath]=/opt/phoenix/cache/parser/upload/svn/1.1.1.1 -Change-startup-1682804304.ini.scanned,[errorNoInt]=500,[destName]=worker1.siem.demo,[phLogDetail]=Failed to upload event file to worker

Scope

Supervisor and Workers.

Solution

1) Log in to the supervisor and all workers via SSH. Check if there are any error files (.err) in the following file path:

[root@Super ~]# ls -lah /opt/phoenix/cache/parser/upload/svn/*.err | wc -l

2) If the result from step 1 is greater than 0, delete the svn error files with the command below on the supervisor and all applicable workers.:

[root@Super ~]# rm -rf /opt/phoenix/cache/parser/upload/svn/*.err

3) The upload failure messages should no longer appear on the collectors. After several minutes, the affected collectors will upload their SVN queue and go back to the Normal state:

[root@Super ~]# tail -f /opt/phoenix/log/phoenix.log

Troubleshooting Tip: Collector cannot upload SVN files

You are leaving our website