This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
mrbeanus
Beginner
Beginner
‎2012-07-06 07:51 AM

NIC-3-604103: FileReader, FileReader, -, -, -, -, Detail: 4544: Unable to write to shared memory

Hello Does anyone has similar messages with FileReader issue like Errors in Active Pulling of Events Detected %NIC-3-604103: FileReader, FileReader, -, -, -, -, Detail: 4544: Unable to write to shared memory Our enVISION 4.1 patch5. And after pach 4 or 5 we get %NIC-6-604115: FileReader, FileReader, -, -, -, -, Detail: 4544: Failed to get file list for E:\NIC\4100\SCBSEC-ES\FTP_FILES\{event_source}\* This error is absent in Patch3.
0 Likes
Reply
8 Replies
GuyWilliams
Employee
Employee
‎2012-07-11 11:38 AM

Hi lperlak,

 

The 604103 messages are fairly normal.  It means that the shared memory queue was full when the File Reader went to write events to it.  The non-syslog collection servers all sent their events to this queue.  The Collector service is responsible for pulling events off of the queue and processing them.  The rate at which the events are pulled depends on the licensed EPS.  You can check the System Performance page to see the rates.  Non-syslog are limited to 70% of the licensed EPS to leave room for syslog.  You could also get these message if the Collector Service is down and thus not pulling events off the queue.

 

The 604115: Failed to get file list for <directory> should not be happening.  I'm assuming {event_source} is not literal and is really an event source name and IP.  Does the directory exist?  Does it have permissions to allow NIC_System to read/list/write/delete?

 

Regards,

Guy

 

0 Likes
Reply
mrbeanus
Beginner
Beginner
In response to GuyWilliams
‎2012-07-12 02:36 AM

First, thank you for you answer.

 

If this is normal behavior when EPS is almost 70% of Licenses, Can I be sure that no one event are droped, lossed or smth like that?

 

 

And second The 604115: Failed to get file list for . I  checked permissions and nic_system is a member of Administrators group, and this group have FULL access on ftp_files. Message 'Failed to get ' occurs on all folders in ftp_files. Logs are collecting into enVISION as well. Folder exist, log exist, are collected into enVISION but always there is a message Failed to get file list for....

 

Problem is only when directory is empty.

%NIC-6-604115: FileReader, FileReader, -, -, -, -, Detail: 4544: Scanning directory E:\NIC\4100\SCBSEC-ES\FTP_FILES\JBOSS_1.1.8.5\*

 

%NIC-6-604115: FileReader, FileReader, -, -, -, -, Detail: 4544: Found 1 files in E:\NIC\4100\SCBSEC-ES\FTP_FILES\JBOSS_1.1.8.5\* (0.000 seconds)

 

%NIC-5-604101: FileReader, FileReader, -, -, -, -, Detail: 4544: Started File:device=GENERIC_FILEREADER,file name=E:\NIC\4100\SCBSEC-ES\FTP_FILES\JBOSS_1.1.8.5\localhost_access_log.2012-07-12.log-nic.20120712080601-1.tmp,file size=99,file time=1342073161,start time=1342073168483

 

%NIC-5-604102: FileReader, FileReader, -, -, -, -, Detail: 4544: Finished File:device=GENERIC_FILEREADER,file name=E:\NIC\4100\SCBSEC-ES\FTP_FILES\JBOSS_1.1.8.5\localhost_access_log.2012-07-12.log-nic.20120712080601-1.tmp,events sent=1,eps=1.#J,end time=1342073168483

 

%NIC-6-604115: FileReader, FileReader, -, -, -, -, Detail: 4544: Scanning directory E:\NIC\4100\SCBSEC-ES\FTP_FILES\APACHETOMCAT_1.1.1.5\*

%NIC-6-604115: FileReader, FileReader, -, -, -, -, Detail: 4544: Failed to get file list for E:\NIC\4100\SCBSEC-ES\FTP_FILES\APACHETOMCAT_1.1.1.5\*

 

%NIC-6-604115: FileReader, FileReader, -, -, -, -, Detail: 4544: Scanning directory E:\NIC\4100\SCBSEC-ES\FTP_FILES\JBOSS_1.1.8.5\*

 

%NIC-6-604115: FileReader, FileReader, -, -, -, -, Detail: 4544: Failed to get file list for E:\NIC\4100\SCBSEC-ES\FTP_FILES\JBOSS_1.1.8.5\*

 

0 Likes
Reply
GuyWilliams
Employee
Employee
In response to mrbeanus
‎2012-07-12 10:31 AM

 

EPS is checked second by second so if a file has more events than 70% of your license or you also have other shared memory collection services (ODBC, Agentless Windows, SDEE, etc) you can see this message.  All of the collection services that use shared memory just try again until the queue has free space and it succeeds.  It is only an indication of a problem if collection is not working.  You will see 200019 or 200020 messages to warn and report dropped messages.

 

The "Failed to get file list" used to be a debug message (level 7 so it didn't show up unless you turned the log level up) indicating that there were no files in the directory.  I wouldn't worry about it if you are picking up files from those directories.  On my system I see "Found 0 files in <directory>".

 

Thanks,

Guy

 

0 Likes
Reply
mrbeanus
Beginner
Beginner
In response to GuyWilliams
‎2012-07-12 10:35 AM

Our current File Reader service debug level is 6. Anyway - Should I be worried ?
0 Likes
Reply
GuyWilliams
Employee
Employee
In response to mrbeanus
‎2012-07-12 11:17 AM

You definately don't need to be worried about the Unable to write to shared memory unless you are also not getting events for File Reader, ODBC, Windows, etc. devices.

 

I wouldn't worry about the Failed to get file list.  To set your mind at ease you could check for files that have old time stamps in the ftp_files\<subdir>  indicating that they aren't getting picked up.

 

Regards,

Guy

0 Likes
Reply
mrbeanus
Beginner
Beginner
In response to GuyWilliams
‎2012-07-13 02:11 AM

Thank you for information !
You are better then RSA Support
0 Likes
Reply
ScottPause
Beginner
Beginner
In response to mrbeanus
‎2012-07-16 10:11 AM

lol,  I think he is RSA Support

0 Likes
Reply
mrbeanus
Beginner
Beginner
In response to ScottPause
‎2012-07-17 02:18 AM

yes, probably
0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.