RE: [ISSForum] SiteProtector SP3

[Daniel.Sergile]

Every once in a while if there is a huge influx of information you “MAY” need to bounce the Sensor Controller service. I have also seen in this new version where after time you “MAY” have to bounce the ISSDAEMON service on the eventcollector. I am not sure why this is. But the sensors will retain their information in a file called SensorEventQueue.ADF this file has all the information for the sensor if the sensor controller is offline or if the eventcollector fails to respond. Once the services are back up it will dump this file to the eventcollector. (This would explain why the information was not there and it shows up after reboot)   Based on you setup, I.E if you have your deployment manager SP, and eventcollector on one box(Standard Setup) then all you would have to do is restart the services. If you have a custom (where the eventcollector resides on a different box then the application service) and you bounced the SP box then it would point to the Sensor Controller service. If you restart this and nothing happens then you would have to go to your eventcollector to restart the ISSDAEMON.   I have seen with my install if I have to bounce anything it is the Eventcollectors ISSDAEMON service. What I have also noticed is that sometime it will hang in a stopping state and the box needs to be bounced.   With only having as few sensors that you have you should not be encountering this issue…. Unless you are generating huge amounts of alerts to the machine an overwhelming it I have only had to bounce the ISSDAEMON service 3 times in 6 months and I know what the issue is. I hope this will help you with the problems you are facing.   Daniel Sergile, CISSP Information Security Engineer Cox Communications Atlanta   From: Bojidar Tzendov [mailto:[EMAIL PROTECTED] Sent: Friday, December 19, 2003 2:32 AM To: [EMAIL PROTECTED] Subject: [ISSForum] SiteProtector SP3 Importance: High     Hi All,   I have fresh installation of SPSP3 with 1 Network Sensor, 1 Server Sensor, Desktop Controller configured and 1 Desktop Protector added, 1 Internet Scanner and Fusion module.   I have simulated attacks. It appears all is going well and Fusion module is ok, and all is ok.   But, after a period of time (few hours) the SP is stopping to visualize events from sensors and is stopping to visualize vulnerability data coming from Internet Scanner (nevertheless there are attacks and there are IS scans).   I did restart SP machine and all missing data appeared.   What do you thing about the reason for that?   I am afraid the situation could repeat.   Regards Bojidar Tzendov