Description
This article describes how to troubleshoot communication issues between a Collector and a Supervisor.
On the Collector Health page, a Collector shows status of "no connection" yet events are being sent to the Supervisor/Worker from that Collector. Additionally the health of that Collector shows as "normal".
Solution
The following is a step by step guide for troubleshooting the issue described above.
1. Verify the SIEM is receiving events from the Collector.
1.1 Go to Analytics->Real-time Search.
1.2 Search on Reporting IP = <Collector's IP address>
1.3 Is it receiving events?
2. Verify the Collector can connect to the Supervisor on port 443.
2.1 From a command line of Collector, run the following:
#telnet <ip address of super> 443
2.2 Is the Collector able to connect?
3. Check for evidence that the Collector is talking to the Supervisor on port 443
3.1 From the command line of the Supersor, run the following:
#cd /etc/httpd/logs
3.2 Run:
#tail -f ssl_access_log | grep <ip address of collector>
3.3 Is there any matching log entries?
i) If yes, check if the response code is 503, which means data i being sent to the Supervisor
ii) if no, then the https packets are not even arriving at the Super. Continue to Step 4 and 5.
3.4 From the command line of the Collector, run the following command:
#curl -k -u 'super/admin/admin*1' 'https://<super ip address>/phoenix/rest/device/properties'
4. Check if time is synchronised on both the Collector and the Supervisor.
4.1 If not then configure ntpd on both and ensure they are syncing to a trusted time server.
5. Check MTU of the interfaces on both the Collector and Supervisor
5.1 From command line of the Supervisor and the Collector run:
#ifconfig
5.2 Look for MTU value of each device for the appropriate interface.
5.3 If they do not match, change them both to match the value 1500.(See screenshot below)
Related Articles
Technical Note: [Accelops KB] How to verify communication between Collector and Super
