Resolving upgrade issues from Legacy collectors to JavaScript collectors

  • 7002898
  • 02-Apr-2009
  • 26-Apr-2012

Environment

Sentinel 6.1
Audit Connector
McAfee ePolicy Orchestrator 6.1r1 collector and later
Novell Identity Manager 6.1r3 collector and later
Novell eDirectory 6.1r3 collector and later
Microsoft Active Directory 6.1r4 collector and later
Legacy Collector
JavaScript Collector

Situation

Upgraded from eDirector Collector 6.1.r2 to eDirectory 6.1.r3 and no events from collector.
Upgrading a collector to a new version that is JavaScript.
Upgrading a collector that uses the AUDIT connector.
Collector will not start after upgrading from previous running instance of the collector.

Resolution

Issue 1:   After the upgrade of the collector, the Collector Manager must be restarted.  Restarting the Collector Manager will stop the agentengine from the legacy collector and will then load the JavaScript necessary to properly use the updated collector.  Even if the collector was stopped before upgrading it, the Collector Manger must be restarted.  See "To restart Collector Manager" below.
Issue 2:   After upgrading to the new collector, the connection mode has changed and all existing Event Sources for the upgraded collector will need to be re-configured to use the new connection method.  See "Fixing Connection Mode for Event Sources" below.
 
Issue 3:   After upgrading to the new updated JS Collector, the associated connectors default connection mode for new automatically generated event sources will need to be re-configured to use the new connection method.  See "Fixing Connection Mode for Connectors" below.  (Note:  This applies to existing connectors and if the connector is allowing auto creation of event sources.)
 
To restart Collector Manager:

Preferred Method:
In Sentinel Control Center select the Admin tab.  Then locate the Collector Manager that holds the Collector being updated.  Right click on the Collector Manager and select stop.  Once the Collector Manager stops.  Right click on the Collector Manager and select start.

Alternative method:
On Windows, in "Services" stop the Sentinel service or from command line use 'net stop sentinel' and verify it stops completely by using a tool like ProcessExplorer.  If needed, kill any remaining process.  Then in "Services" start the Sentinel service or from command line use 'net start sentinel'.
 
On Linux, as esecadm use $ESEC_HOME/bin/sentinel.sh stop and verify Sentinel services stop by using the ps command.  (i.e. ps eaf  | grep esecadm or ps eaf | grep sentinel)  If needed, kill any remaining processes.  Restart Sentinel as esecadm using $ESEC_HOME/bin/sentinel.sh start.
 
Collector should start correctly.

Fixing Connection Mode for Event Sources:
 
Events may still not be sent via the new collector however.  This is because the connection mode may have changed.  Most likely, the eventsource connection mode needs to be changed to the new default connection mode.  For example:  The new connection method for AUDIT connector is "Audit:Output Map".  To correct this problem use the following example with the eDirectory collector (note: steps may apply to other collectors as well.):
 
In ESM, right click on the event source representing each eDirectory server and select "Edit".
Select the Connection Mode (Advanced) tab.
Select the dropdown for Connection Mode and select "Audit:Output Map".  (Previous value may have been "Audit", but is now listed as Custom and info blank.)
Restart eventsource.
 
This process will need to be repeated for each event source. 
 
Alternatively if the Audit Connector is not filtering event sources and is setup to "allow and start", you can delete each event source and have the Audit Connector automatically create the event source the next time the eDirectory server sends the Audit Connector an event.  (Note: Issue #3 above if using this option.)
 
(Note: If you delete the event source, this will remove the UUID for that event source and the new event source will have a new UUID.  If you have configured Active Views, Correlation Rules, Crystal Reports, etc... to use the UUID, you will have to update each with the new UUID created.)
 
Fixing Connection Mode for Connectors:
 
After the upgrade, new auto created event sources will continue to use the old connection method.  You can delete the Connector and recreate it noting issues with UUID, or modify the Connector to use the new connection method.  For example:  The new connection method for AUDIT connector is "Audit:Output Map".  To correct this problem use the following example with the eDirectory collector (note: steps may apply to other collectors as well.):
 
In ESM, right click on the Audit Connector listed under each eDirectory Collector and select "Edit".
On the Auto Configuration tab -> Select the Set Event Source Configuration.
Select the dropdown for Connection Mode and select "Audit:Output Map".  (Previous value may have been "Audit", but is Custom and is blank.)
Restart the Connector.
 
This process will need to be repeated for each Connector.