Hello,
Background
We are just rolling out LEM (6.2) and have hit a speed bump while configuring our Linux infrastructure for LEM. After installing the linux agent on a RHEL 7 box (first one we've tried, and our current standard), I configured the connectors for that node via the LEM console. I was also mindful to reference appropriate log locations. Most are set to use alerts and nDepth. At least one is just set to alerts.
However, unlike our syslog hosts and Windows agents, I have yet to see ANY log data with the exception of the agent restart process. On my firewall, I can verify I see the the connection from host to lem (port 37892) is torn down when I stop the agent and rebuilt when I restart it. I tested with both security events and installing a package via Yum.
Please see the node configuration in this screenshot...
Image may be NSFW.
Clik here to view.
Note only Agent start and Agent stop events are passed. Running user is root.
Digging Deeper
lsof shows that the java process 24734 has /var/log/yum.log open:
java 24734 24862 root 154r REG 253,0 101 134296534 /var/log/yum.log
Using ps, verified that pid 24734 is indeed the agent:
root 24734 1.8 4.0 1740876 158000 pts/0 Sl 16:26 0:08 /usr/local/contego/ContegoSPOP/../ContegoSPOP/jre1.7.0_80/bin/java -Djava.library.path=6.2.0\\lib -Dlogback.configurationFile=jar:file:6.2.0/jars/lem_agent.jar!/logback-agent.xml com.zerog.lax.LAX /usr/local/contego/ContegoSPOP/SWLEMAgent.lax /tmp/env.properties.24734 "-lf" "/usr/local/contego/ContegoSPOP/agent.log"
This host is not running SELinux, which is configured to be "disabled" and has been verified with getenforce.
On my firewall (ASA running 9.4.x, I've allowed TCP/37890 (Install) and TCP/37892 (Secure connection). With my log level set to Debug, I do not see any errors/blocked connections.
Testing
As mentioned above, I tested with both security events and installing a package via Yum. I've also configured a filter that shows me an resources from both the ip address and the hostname of the node. The results are the same.
I'd appreciate any guidance that could be offered. I'm sure I missed something simple, but it's not at all obvious to me... Thanks in advance...
Brett
Clik here to view.
