TroubleshootingΒΆ
MFSNs and a buildup of log files in an S3 bucket or Azure blob container are indications that the rate of flow and/or log generation exceeds the capacity of the Collector assigned to the flow log source.
The following are potential solutions for an overloaded Collector:
If the Collector is a VM, allocate additional resources to it.
If the Collector is ingesting flow logs from only one source (bucket or container), distribute the logs across multiple sources, which can then be assigned to different Collectors.
If the Collector is ingesting flow logs from multiple sources, reassign sources across multiple Collectors.
If the Collector license has a flow rate limit, the license may need to be upgraded.
Hint
In distributed deployments, it is recommended to start with a 1:1 pairing of sources and Collectors.
If a VPC or NSG is not listed in the Admin > Resources > Manage Exporters view:
Navigate to Admin > Integrations, open the configuration tray for the Collector assigned to and use the Test button to verify that the correct details were entered.
Verify that flow logs are correctly being sent to the bucket or container.
Check the Collector log file in
/home/plixer/scrutinizer/files/logs/
for errors.Check
awss3_log.json
(AWS) oraznsg_log.json
(Azure) for possible source-side issues.
Note
The Manage Exporters view also displays Exporters that have been disabled. Because each VPC or NSG counts as an Exporter, one or sources may be disabled automatically (in last-in/first-out order) if the Exporter count limit of the current license is reached.