ICDx

 View Only
  • 1.  Cannot connect to DCS with ICDx 1.4

    Posted Mar 16, 2020 11:31 AM
    This is a brand new install of Symantec ICDx 1.4.0-626.  I have the same problem with both RedHat and Ubuntu.  DCS version is 6.7 and the database is SQL 2014.  I keep getting the following errors when trying to start the collector for Symantec DCS:

    Restarting dcs collector
    dcs collector process has started, pid: 2814
    Service has started
    Database query SCSPAuditEvents failed. Incorrect syntax near 'TIME'.
    Database query CSPEvents failed. Incorrect syntax near 'TIME'.
    CSP DB Sensor - read sensor failed. {}
    CSP DB Sensor thread had an error; terminating application

    CSP DB Sensor - Terminating application with exit status 1 due to: Error in module CSP DB Sensor due to java.lang.Error: com.symantec.cas.ucf.sensors.ReadDeviceException: Database configuration error, caused by com.symantec.cas.ucf.sensors.ReadDeviceException: Database configuration error, caused by com.microsoft.sqlserver.jdbc.SQLServerException: Incorrect syntax near 'TIME'.

    Any assistance with this error would be great as our support with Symantec support is all screwed up for DCS at the moment.

    ------------------------------
    Mike
    WaveRider Security
    CA
    ------------------------------


  • 2.  RE: Cannot connect to DCS with ICDx 1.4

    Broadcom Employee
    Posted Mar 16, 2020 12:50 PM
    Hi Mike,
    Please, upgrade the database to SQL 2016.
    Thanks,
    Roumen



  • 3.  RE: Cannot connect to DCS with ICDx 1.4

    Posted Mar 16, 2020 01:43 PM
    Is that the only solution?  That will be a tall order in this environment.

    ------------------------------
    Mike
    WaveRider Security
    CA
    ------------------------------



  • 4.  RE: Cannot connect to DCS with ICDx 1.4

    Broadcom Employee
    Posted Mar 16, 2020 03:23 PM
    Yes, this is the only solution, unless you are ok to edit the sql config file and remove the words: AT TIME ZONE 'UTC'.

    If you are interested, then I can provide you more information about which files to edit.

    Roumen


  • 5.  RE: Cannot connect to DCS with ICDx 1.4

    Posted Mar 16, 2020 03:28 PM
    Thank you Roumen.  Can you provide me with the information to modify the files?  Will this be fixed with another release of ICDx?

    Thanks again,
    Mike

    ------------------------------
    Mike
    WaveRider Security
    CA
    ------------------------------



  • 6.  RE: Cannot connect to DCS with ICDx 1.4

    Broadcom Employee
    Posted Mar 16, 2020 04:23 PM
    Hi Mike,
    Sorry, I am not sure if we will "fix" it. The issue is that the DCS collector uses an SQL feature, which is available in MS SQL Server 2016, to set the timezone. This feature is useful when the ICDx and the DCS Database are located in different time zones.

    The fix is:
    1. ssh to the ICDx machine.

    2. Change to Linux icdx user, if you use the default name:

    sudo -su icdx

    3. Replace $SYMC_HOME/sdcs_col_dx-3.7.20-745/cfg/sensor-6.7.json.cfg file with the content below (I removed the "AT TIME ZONE 'UTC'").

    4. Login on the ICDx Web console and go to the collectors configuration page.

    5. Clone the existing DCS collector and start it. The new collector will use the new configuration file. You should delete the old collector.


    ---- sensor-6.7.json.cfg ----

    /**
    * SCSP DB version 6.7+ sensor configuration file
    */
    {
    "MaxEvents": #{batch_size},
    "IdleInterval": #{idle_interval},
    "ReadInterval": #{read_interval},
    "SensorConfigFileName": "etc/sensor.xml",
    "sensor-properties": [
    { "LastPositionUpdateFrequency": "300000" },

    { "QuerySet.1.Name": "CSPEvents" },
    // Note: the column names MUST be all-lower-case!!!!
    { "QuerySet.1.PrimaryQuery.1.Query":"SELECT event_id,description,hostname,hostaddr,agentname,agent_version,osversion,ostype,domain_name,event_dt,event_end_dt,post_dt,asset_rid,event_seq,event_type,event_cnt,timezone_adj,event_severity,asset_collectorrid,collectorname,process_id,process_name,process_path,session_id,user_name,system_state,event_remediated,policy_name,policyrid,rule_name,rule_id,user_text,disposition,operation,target_info,value1,value2,value3,value4,value5,value6,value7,value8,value9,value10,value11,value12,value13,value14,value15,value16,value17,value18,value19,value20,value21,value22,value23,value24,value25,value26 FROM dbo.cspevent with (NOLOCK) WHERE event_id IN (SELECT TOP #{batch_size} event_id FROM dbo.cspevent with (NOLOCK) WHERE event_id > ? ORDER BY event_id ASC) ORDER BY event_id ASC"},
    { "QuerySet.1.PrimaryQuery.1.ResultFormat": "WithColumnName" },
    { "QuerySet.1.PrimaryQuery.1.Parameter.1.Style": "LastPosition" },
    { "QuerySet.1.PrimaryQuery.1.Parameter.1.Type": "LONG" },
    { "QuerySet.1.PrimaryQuery.1.Parameter.1.FieldIndex": 1 },
    { "QuerySet.1.PrimaryQuery.1.Parameter.1.InitialBeginningValue": 0 },
    { "QuerySet.1.PrimaryQuery.1.Parameter.1.InitialEndQuery": "SELECT MAX(EVENT_ID) FROM dbo.cspevent WITH (NOLOCK)" },

    { "QuerySet.2.Name": "SCSPAuditEvents" },
    { "QuerySet.2.PrimaryQuery.1.Query": "SELECT TOP #{batch_size} rid,ts,appname,hostname,hostaddr,userrid,username,objectrid,objectname,objectver,objecttype,objectpath,tablename,operation,msg from dbo.audit WITH (NOLOCK) where rid > ? ORDER BY rid ASC" },
    { "QuerySet.2.PrimaryQuery.1.ResultFormat": "WithColumnName" },
    { "QuerySet.2.PrimaryQuery.1.Parameter.1.Style": "LastPosition" },
    { "QuerySet.2.PrimaryQuery.1.Parameter.1.Type": "INT" },
    { "QuerySet.2.PrimaryQuery.1.Parameter.1.FieldIndex": 1 },
    { "QuerySet.2.PrimaryQuery.1.Parameter.1.InitialBeginningValue": 0 },
    { "QuerySet.2.PrimaryQuery.1.Parameter.1.InitialEndQuery": "SELECT MAX(RID) FROM dbo.audit WITH (NOLOCK)" }
    ]
    }


  • 7.  RE: Cannot connect to DCS with ICDx 1.4

    Posted Mar 16, 2020 06:18 PM
    Thank you! Modifying the code has saved the day.

    We have run into another issue with Syslog forwarding, but I will post a new questions.

    Thanks,
    Mike

    ------------------------------
    Mike
    WaveRider Security
    CA
    ------------------------------