Exabeam Site CollectorExabeam Site Collector Guide

Table of Contents

Troubleshoot for Exabeam Site Collector

Below are troubleshooting steps for common scenarios found in the Exabeam Site Collector.

In order to run commands given in this chapter, you must be able to log into site collector host and start a terminal session. You will initiate a screen session to prevent termination of your session.

screen -LS [yourname]_[todaysdate]

If the scenarios do not apply to your issue, please capture diagnostics data and contact Exabeam Customer for further assistance.

After installation, update, or during loss of data throughput, if the site collector does not appear in the Exabeam SaaS Status page or Exabeam Data Lake Collectors list (navigate to Settings > Collector Management  > Collectors), verification must be run at the site collector host to ensure necessary services are running and there is throughput.

Run the following command to check all Exabeam Site Collector Services:Exabeam Site Collector Services

sudo /opt/exabeam/tools/sc-services-check.sh

Here is an excerpt from the response of a working site collector where Datadog and OpenVPN is not deployed:

Check all Site Collector services

Check Zookeeper service...
● zookeeper.service
Loaded: loaded (/etc/systemd/system/zookeeper.service; enabled; vendor preset: disabled)
Active: active (running) since ...
Main PID: 5887 (java)
CGroup: /system.slice/zookeeper.service└─5887 java -Xmx512M -Xms512M -server -XX:+UseG1GC -XX:MaxGCPauseMillis=20 -XX:InitiatingHeapOccupancyPercent=35 -XX:+ExplicitGCInvokesConcurrent -Djava.awt.headless=true -Xloggc:/opt/kafka/bin/../logs/zookeeper-gc.log -verb...Mar 09 18:28:17 centos7 zookeeper-server-start.sh[5887]: [2021-03-09 18:28:17,472] INFO Processed session termination for sessionid: 0x178183f22620001 (org.apache.zookeeper.server.PrepRequestProcessor)...

Check Kafka service...
● kafka.service
Loaded: loaded (/etc/systemd/system/kafka.service; enabled; vendor preset: disabled)
Active: active (running) since ...		
Main PID: 6028 (java)
CGroup: /system.slice/kafka.service└─6028 java -Xmx4G -Xms4G -server -XX:+UseG1GC -XX:MaxGCPauseMillis=20 -XX:InitiatingHeapOccupancyPercent=35 -XX:+ExplicitGCInvokesConcurrent -Djava.awt.headless=true -Xloggc:/opt/kafka/bin/../logs/kafkaServer-gc.log -verbos...Mar 09 18:28:39 centos7 sh[6028]: [2021-03-09 18:28:39,206] INFO [Partition lms.kafka.topic-2 broker=1] lms.kafka.topic-2 starts at Leader Epoch 0 from offset 0. Previous Leader Epoch was: -1 (kafka.cluster.Partition)...

Check Logstash service...
● logstash.service
Loaded: loaded (/etc/systemd/system/logstash.service; enabled; vendor preset: disabled)
Active: active (running) since …
Main PID: 7244 (java)
CGroup: /system.slice/logstash.service└─7244 /bin/java -Xms4g -Xmx4g -cp /opt/logstash/logstash-core/lib/jars/commons-compiler-3.0.8.jar:/opt/logstash/logstash-core/lib/jars/google-java-format-1.1.jar:/opt/logstash/logstash-core/lib/jars/guava-19.0.jar:/opt/logs...
Mar 09 18:28:58 centos7 sh[7244]: transactional.id = null
Mar 09 18:28:58 centos7 sh[7244]: value.serializer = class org.apache.kafka.common.serialization.StringSerializer...

DataDog is not installed...
OpenVPN is not installed...

Check SC Forwarder service...
● exabeam-rsc-forwarder.service - exabeam-rsc-forwarder
Loaded: loaded (/etc/systemd/system/exab

Review the output from your site collector and to see if any required services have failed to load. Ensure that the parameters for each service shown in the response is correct. If you have services that failed to load, run diagnostics and send the output to Exabeam for further assistance. If no services failed to load, then determine whether there are network issues impeding data throughput.

If using OpenVPN, check the OpenVPN client logs for error messages, then check if the OpenVPN client is running on site collector server.

# check status of openvpn client
sudo systemctl status openvpn@<instanceID>

# check logs of openvpn client
sudo journalctl -fu openvpn@<instanceID>

Resolve the issues cited in the error messages. Logs should start appearing without an OpenVPN service restart.

If you have confirmed that the network is allowing traffic yet no logs are being sent or received at the configured destinations, run diagnostics and send the output to Exabeam for further assistance.

Firewall rules may not be applied properly (for example, those in SE Linux) for your environment. Run the following command:

firewall-cmd --zone=public --add-forward-port=port=389:proto=tcp:toport=389:toaddr=$<dns_server> --permanent
firewall-cmd —reload

Generate LDAP context again and the data should become available without restarting additional services.

If the above command still fails to resolve the issue, run the following alternative command:

firewall-cmd --add-forward-port=port=389:proto=tcp:toport=389:toaddr=$<dns_server> --permanent
firewall-cmd —reload

Note

Port 389, given in this example, is used for LDAP. It may be different for your organization. Please confirm with your organization's network configuration.

The Exabeam Customer Success team may require additional data to further assist in troubleshooting. Exabeam has provided a script to support capturing diagnostic information about your site collector. Please run the command based on your situation:

  • To collect data just after a site collector installation:

    sudo /tmp/Exabeam_Site_Collector/bin/support-package.sh
  • To collect data from a running site collector:

    • For site collector versions before 2.1.11

      sudo /opt/exabeam/bin/support-package.sh 
    • For site collector version 2.1.11 and later

      sudo /opt/exabeam/tools/support-package.sh