Collector Troubleshooting Logs?

pherrera · March 4, 2022, 9:42pm

Hello,

I have a data source that went offline but nothing seems to have changed with it. It is a Windows DHCP watch file but I’m getting zero EPM since last night.

Is there a place that I can view logs to see why it’s not receiving data?

Thanks,

Paul

david_smith · March 4, 2022, 10:40pm

Hi @pherrera , we have some know issues with our directory watcher event source, the session limit can be reached and cause the event source to fall into this state.

First thing to check is that the DHCP logs are still being actively written to the directory in question.

If they are, you could try stop and start the event source, give it a couple of minutes to ingest new logs.

You should monitor the view raw log window (close and reopen if necessary) of the event source to see if any new events arrive.

If that doesn’t work, reboot the collector server.

Lastly, we are currently testing a new version of the directory watcher event source to overcome the known issue I mentioned earlier, with the hopes of releasing it pending the outcome of the tests. In the next couple of months.

David

matt_robinson · March 7, 2022, 9:18pm

Hey @pherrera,

We have seen similar problems.

When we have the problem, we generally see “ERROR file-tailer” events in the Rapid7 Collector logs.
We have found that restarting the event source doesn’t fix it, but just restarting the Rapid7 Collector Service on the Rapid7 Collector seems to address the problem.
I have put a feature request in to be able to restart the Rapid7 Collector Service from the IDR portal since I don’t have a login to the server to be able to restart it or the service.

Matt

pherrera · March 8, 2022, 7:50pm

Thanks David. It seems rebooting the collector resolved it for me.

pherrera · March 8, 2022, 7:51pm

Thanks Matt. Restarting the collector seems to have resolved it for me. Do you know where the collector logs are located? I’d like to see this to troubleshoot issues as well.

matt_robinson · March 8, 2022, 8:14pm

“Rapid7 Collector” log, under the “Raw Log” log set.

david_smith · March 8, 2022, 8:35pm

This applies if you have created a custom log event source to tail the collectors own log (which is highly recommended for troubleshooting purposes)

@pherrera the files location locally is

C:\Program Files\Rapid7\Collector\logs\collector.log

or

/opt/rapid7/collector/logs/collector.log

David