Palo Alto application data missing from Netflow
We havebeen able to get Netflow data working for a Palo Alto PA-820 firewall, but we are not seeing the application data show up. Does anyone have any suggestions on next steps we could take? Here is what has been done so far: Netflow profile has been configured on the Palo Alto side and assigned to the interface, including selecting the PAN-OS Field Types to get the App-ID and User-ID (https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/netflow-monitoring/configure-netflow-exports) nbarhas been enabled on the collector: # enable netflow support for NBAR, IPV6 and Multicast fields netflow.nbar.enabled=true # enable netflow support for IPV6 fields netflow.ipv6.enabled=true Collector version is 34.003 We’re seeing everything we expect except the app & systemsdata on the Traffic tab for the device: Any thoughts on what we might be missing? Thank you. :-)88Views6likes1CommentExcessive snmp requests with a community string I am not using
I have some switches that are getting hammered by a few of my collectors and I can't figure out why. The logs on them are full of this message: snmp: ST1-CMDR: Security access violation from <Collector IP> for the community name or user name : public (813 times in 60 seconds) I don't have "public" set for this set of switches anywhere and it is coming from my collectors. I don't have any netscans for the subnet they are on. In my portal everything looks normal for these switches. I'm not sure what else to be looking at to figure this out, anyone have any thoughts? Thank you!81Views3likes7CommentsAny way to change which portal a collector is associated with?
Hi, Our company was acquired by a different company, and we both use LM. Is there any way to take a collector that's point to company1.logicmonitor.com and change it to point to company2.logicmonitor.com so all the servers get populated in the new portal? I know I can just create a new company2 collector for the company1 servers, but then I have to rediscover everything and add in all the servers again. I thought if there was an easy way to just change the existing collector to point to the new portal, it would just pop everything in nice and easy. Thanks.50Views2likes2CommentsBug early release Collector Update V34.500
I have updated some of our collectors to the early release V34.500. After the update, there were various alerts from the DataSource Citrix_XenApp_DatastoreStatus, which could no longer read any data. After a short error analysis and further tests with other collectors, I replaced the here-string in the PowerShell script with a normal string input: OOTB: # Get XenApp specific creds $XenAppUser = @' ##XENAPP.USER## '@ $XenAppPass = @' ##XENAPP.PASS## '@ After customization: # Get XenApp specific creds $XenAppUser = '##XENAPP.USER##' $XenAppPass = '##XENAPP.PASS##' The query then worked perfectly again. Has anyone else experienced this phenomenon in their environment?Solved131Views21likes5CommentsFinding the culprit for TCP_StatsCollector ConnectionsEstablished alert for Windows collectors
From the collector’s device page in the LM Portal or the collectors page, get to a debug console, then here’s your !POSH one-liner to get info about the destination device that is holding your ports captive. netstat -an| sls establish | foreach { ($_ -split "\s+")[3] } | group | sort count | select count, name -last 10 In the Netstat, a shows all, n shows IP addresses rather than solving the DNS for it. TheSelect-String (aliased as sls)passes only the “Established” connection entries from the netstat down the pipeline. The foreach{} splits each line ($_ is the current object being iterated by the foreach loop) on contiguous whitespace (I use this a lot!) and takes the third element (remote address:port) to passdown the pipeline It then passes Group-Object (aliased as group) which bundles identical strings and Sort-Object (aliased as sort)by the count property of the group object. The select displays grabs the calculated match count and the name properties to limit display and just shows the -last 10 of them (which are the biggest number of matched lines due to the sort previously applied. This should give you the target/s for troubleshooting further.74Views11likes5CommentsHost Status errors corrected by logging into Collector server.
Every night we receive “Host Status” messages on several servers on one collector. You cannot “!ping” to those servers from the Collector’s debug console. However, you can ping those servers that Logic Monitor reports as down. If I log into the collector, the Host Staus messages clear (only login, do not open anything). This is what is baffling us. Has anyone seen anything like this? Thank you very much for your help.119Views10likes1CommentUsing a Dedicated Collector for each Windows Domain Controller?
We ran into trouble monitoring our Windows Domain Controllers because we want to use least privilegeand we were only receiving ping and Host Status data. It showed “No data” for CPU, disks, etc. We used the information in the link “https://www.logicmonitor.com/support/monitoring/os-virtualization/monitoring-a-domain-controller-dc” and installed the collector on a DC using the local system account and set it to monitor itself. I am now receiving CPU, disk, etc. from that domain controller. It appears the only catch is that I cannot monitor other systemswith that collector but that is OK for our situation. Are there others out there that are monitoring DCs using this method and if so, have you run into any trouble (performance, etc.)? If you are not using this method, how are you monitoring your DCs in Logic Monitor. THANK YOU very much for your assistance/opinions/guidance.Solved284Views14likes3CommentsLM Linux collector deployment failed to start Logicmonitor watchdog service
Success to set net capabilities on file `/usr/local/logicmonitor/agent/jre/bin/j ava` Detecting proxy, please wait ... Registering collector to bp.logicmonitor.com, please wait ... Init program is systemd ... Redirecting to /bin/systemctl restart logicmonitor-watchdog.service Job for logicmonitor-watchdog.service failed because the control process exited with error code. See "systemctl status logicmonitor-watchdog.service" and "journalctl -xe" for de tails. Congratulations! LogicMonitor Collector has been installed successfully! Extracting bundled JRE files ... Success to set net capabilities on file `/usr/local/logicmonitor/agent/lib/sblin uxproxy` Success to set net capabilities on file `/usr/local/logicmonitor/agent/jre/bin/j ava` Detecting proxy, please wait ... Registering collector to bp.logicmonitor.com, please wait ... Init program is systemd ... Redirecting to /bin/systemctl restart logicmonitor-watchdog.service Job for logicmonitor-watchdog.service failed because the control process exited with error code. See "systemctl status logicmonitor-watchdog.service" and "journalctl -xe" for de tails. Congratulations! LogicMonitor Collector has been installed successfully! [root@WS01UJEU1000009 ~]# systemctl status logicmonitor-watchdog.service ● logicmonitor-watchdog.service - LogicMonitor Watchdog Loaded: loaded (/etc/systemd/user/logicmonitor-watchdog.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Sun 2023-03-05 13:56:20 UTC; 1min 21s ago Process: 344458 ExecStopPost=/usr/local/logicmonitor/agent/bin/logicmonitor-watchdog stop true (code=exited, status=203/EXEC) Process: 344456 ExecStart=/usr/local/logicmonitor/agent/bin/logicmonitor-watchdog start true (code=exited, status=203/EXEC) Mar 05 13:56:20 WS01UJEU1000009 systemd[1]: Starting LogicMonitor Watchdog... Mar 05 13:56:20 WS01UJEU1000009 systemd[1]: logicmonitor-watchdog.service: Control process exited, code=exited status=203 Mar 05 13:56:20 WS01UJEU1000009 systemd[1]: logicmonitor-watchdog.service: Control process exited, code=exited status=203 Mar 05 13:56:20 WS01UJEU1000009 systemd[1]: logicmonitor-watchdog.service: Failed with result 'exit-code'. Mar 05 13:56:20 WS01UJEU1000009 systemd[1]: Failed to start LogicMonitor Watchdog.Solved297Views12likes2CommentsWhat should I do for SPSE is busy causing powershell request rejected?
Hi Guru, lately there is some instance triggering “NoData” Alert. All the alert from same server, andI found this error message from the Wrapper log, [SPSEEngine.execute:201] Execution PowerShell script exception, CONTEXT=script=datacollecting-IPAddress-DataSource-__ResourceName_FileName.stdout.ps1, errmsg= SPSE is busy, powershell request was rejected. After I restart the logic monitor service in collector server, it usually back to normal but will reoccurred after 1-2hours. Do I need to increase the timeout config or any other fix recommendation?Solved64Views7likes1Comment