TroubleshootingΒΆ
MFSNs and a buildup of log files in flow log source containers are indications that the rate of flow and/or log generation exceeds the capacity of the collector assigned to the flow log source.
The following are potential solutions for an overloaded collector:
If the collector is a VM, allocate additional resources (starting with CPU cores) to it.
If the collector is ingesting flow logs from only one source (bucket or container), distribute the logs across multiple sources, which can then be assigned to different collectors.
If the collector is ingesting flow logs from multiple sources, reassign sources across multiple collectors.
If the collector license has a flow rate limit, the license may need to be upgraded.
Note
In distributed deployments, it is recommended to start with a 1:1 pairing of sources and collectors.
The Unresourced - Enabled status in the Admin > Resources > Exporters view is another indication that flow log sources are being temporarily disabled/paused due to insufficient resources.
If the Admin > Resources > Exporters view does not list exporters that are associated with the virtual network(s) set up for flow ingestion, do the following:
Navigate to Admin > Integrations > Flow Ingestion, open the configuration tray for the collector it was assigned to, and then use the Test button to verify that the correct details were entered.
Note
The Test button only checks if the communication with the data source works.
Verify that flow logs are correctly being sent to the bucket or container.
Check the collector log file in
/home/plixer/scrutinizer/files/logs/for errors.Check
awss3_log.json(AWS),azure_log.json(Azure), orocist_log.jsonfor possible source-side issues.
Note
The Admin > Resources > Exporters view also displays exporters that have been disabled. Because each AWS, Azure, or OCI flow log source counts as an exporter, one or more sources may be disabled automatically (in last-in/first-out order) if the exporter count limit of the current license is reached.