Environment
Sentinel 6.0.xx Agent Manager
WMI Connector 6R3
WMI Connector 6R3
Situation
The WMI collector does not receive any events from a Windows
machine if the timezone on the Collector Manager machine is
set to GMT+1 or GMT-1. When the status of the connector is viewed
from the Event Source Management live view, the status
does show running. No attempt at communication is made from
the Collector Manager machine to the monitored machine.
On starting the Event Source an exception bellow is
logged to the %ESEC_HOME%\log\collector_mgr0.0.log
Mon Nov 26 14:10:35 CET
2007|Thread-89|INFO|WMIConnectorProcess: Firing status change
event: Starting ->
Running||||esecurity.base.process.MonitorableProcess|fireStatusChange|
Mon Nov 26 14:10:37 CET 2007|WMI StreamGobbler|SEVERE|java.lang.NullPointerException
at esecurity.ccs.comp.evtsrcmgt.connector.wmi.WMIConnector.isInServers(WMIConnector.java:641)
at esecurity.ccs.comp.evtsrcmgt.connector.wmi.WMIConnector.shouldSubmitStatusMessage(WMIConnector.java:604)
at esecurity.ccs.comp.evtsrcmgt.connector.wmi.WMIConnector.shouldSubmit(WMIConnector.java:492)
at esecurity.ccs.comp.evtsrcmgt.connector.wmi.WMIConnector.submit(WMIConnector.java:438)
at esecurity.ccs.comp.evtsrcmgt.connector.wmi.WMIConnectorProcess$StreamGobbler.run(WMIConnectorProcess.java:444)
||||esecurity.ccs.comp.evtsrcmgt.connector.wmi.WMIConnectorProcess$StreamGobbler|run|
Mon Nov 26 14:10:37 CET 2007|WMI StreamGobbler|SEVERE|java.lang.NullPointerException
at esecurity.ccs.comp.evtsrcmgt.connector.wmi.WMIConnector.isInServers(WMIConnector.java:641)
at esecurity.ccs.comp.evtsrcmgt.connector.wmi.WMIConnector.shouldSubmitStatusMessage(WMIConnector.java:604)
at esecurity.ccs.comp.evtsrcmgt.connector.wmi.WMIConnector.shouldSubmit(WMIConnector.java:492)
at esecurity.ccs.comp.evtsrcmgt.connector.wmi.WMIConnector.submit(WMIConnector.java:438)
at esecurity.ccs.comp.evtsrcmgt.connector.wmi.WMIConnectorProcess$StreamGobbler.run(WMIConnectorProcess.java:444)
||||esecurity.ccs.comp.evtsrcmgt.connector.wmi.WMIConnectorProcess$StreamGobbler|run|
When investigating the servers.txt file in the
%ESEC_HOME%\data\collector_mgr.cache\CONNECTOR\
directory the time stamp field is appended with a 2 digit timezone,
this should be 3 digits.
Resolution
Two methods exist to connect to a Windows platform, to receive
events from the event log sub system. One is to use the WMI
connector and the second is to use the Process connector. If the
timezone of the collector Manager machine falls within the
timezones specified above, the only way to connect to an event log
is currently via the Process Connector, until such time as a new
WMI connector is released.