Environment
Sentinel - Nsure Audit 1.0.3 Patch 2 and newer
Platform Agent 2.0.x
Situation
The Platform Agent (PA) reports error messages in the nproduct.log repeatedly:
--------------------------------------------------------------------------------------------------------------------------------
Wed Feb 14 10:56:11 2018 [Novell Audit Platform Agent]: Attempting to re-establish connection to secure log server for application eDir Inst.Wed Feb 14 10:56:44 2018 [Novell Audit Platform Agent]: The log server has an older version of lengine.
The server should be upgraded for full functionality.
Wed Feb 14 10:56:44 2018 [Novell Audit Platform Agent]: Server Protocol is: 1Wed Feb 14 10:56:44 2018 [Novell Audit Platform Agent]: ForceServerVersionNumber has not been enabled in the logevent config file.
When working with log servers from previous versions of audit,
ForceServerVersionNumber must be enabled in the logevent config file.
Wed Feb 14 10:56:44 2018 [Novell Audit Platform Agent]: Authentication Failure--------------------------------------------------------------------------------------------------------------------------------
Resolution
The Sentinel CM server (Audit Connector) rejected the PA’s connection
because the Audit Connector is already loaded with the huge events. The
Audit Connector has an upper limit for caching the events locally. When
the caching limit is reached, the Audit Connector will reject the PA’s
connections until already cached events are processed."
The Platform Agent transitioned down to it's lowest communication level, in order to process through the data in the lcache file, and logged this message in the nproduct.log until the Audit Connector stopped rejecting the PA's connection.
Cause
A network outage occurred causing a disconnect between the eDirectory Platform Agent (PA) and the Sentinel CM server. Lcache correctly cached audit events because the Sentinel CM was not reachable. This network outage lasted sufficiently long to allow lcache to build to such a point that when the network connection was re-established, the events sent to the Sentinel CM server (Audit Connector) exceeded the upper limit of the Audit Connector.