Deze pagina is nog niet beschikbaar in uw eigen taal. We werken er hard aan om meer taalversies toe te voegen. Bedankt voor uw steun.
- What's New
- Function Overview
- Service Overview
- Billing
- Getting Started
-
User Guide
- Buying SecMaster
- Authorizing SecMaster
- Viewing Security Overview
- Workspaces
- Viewing Purchased Resources
- Security Situation
- Resource Manager
- Risk Prevention
- Threat Operations
- Security Orchestration
-
Playbook Overview
- Ransomware Incident Response Solution
- Attack Link Analysis Alert Notification
- HSS Isolation and Killing of Malware
- Automatic Renaming of Alert Names
- Auto High-Risk Vulnerability Notification
- Automatic Notification of High-Risk Alerts
- Auto Blocking for High-risk Alerts
- Real-time Notification of Critical Organization and Management Operations
-
Settings
- Data Integration
-
Log Data Collection
- Data Collection Overview
- Adding a Node
- Configuring a Component
- Adding a Connection
- Creating and Editing a Parser
- Adding and Editing a Collection Channel
- Managing Connections
- Managing Parsers
- Managing Collection Channels
- Viewing Collection Nodes
- Managing Nodes and Components
- Partitioning a Disk
- Logstash Configuration Description
- Connector Rules
- Parser Rules
- Upgrading the Component Controller
- Customizing Directories
- Permissions Management
- Key Operations Recorded by CTS
-
Best Practices
-
Log Access and Transfer Operation Guide
- Solution Overview
- Resource Planning
- Process Flow
-
Procedure
- (Optional) Step 1: Buy an ECS
- (Optional) Step 2: Buy a Data Disk
- (Optional) Step 3: Attach a Data Disk
- Step 4: Create a Non-administrator IAM User
- Step 5: Configure Network Connection
- Step 6: Install the Component Controller (isap-agent)
- Step 7: Install the Log Collection Component (Logstash)
- (Optional) Step 8: Creating a Log Storage Pipeline
- Step 9: Configure a Connector
- (Optional) Step 10: Configure a Log Parser
- Step 11: Configure a Log Collection Channel
- Step 12: Verify Log Access and Transfer
- Credential Leakage Response Solution
-
Log Access and Transfer Operation Guide
-
API Reference
- Before You Start
- API Overview
- Calling APIs
-
API
- Alert Management
- Incident Management
- Indicator Management
- Playbook Management
- Alert Rule Management
- Playbook Version Management
- Playbook Rule Management
- Playbook Instance Management
- Playbook Approval Management
- Playbook Action Management
- Incident Relationship Management
- Data Class Management
- Workflow Management
- Data Space Management
- Pipelines
- Workspace Management
- Metering and Billing
- Metric Query
- Baseline Inspection
- Appendix
- FAQs
How Are Collection Node or Collection Channel Faults Handled?
Symptom
The component controller isap-agent periodically reports the collection node status and collection channel health status. Despite a delay of about one minute, the Health Status of a collection node or collection channel was still displayed as Faulty 3 minutes after the collection channel is delivered, and the CPU usage or memory usage of the server is about to reached 100%.
Possible Causes
The configured connector or parser has syntax or semantic errors. As a result, the collector cannot run properly and restarts over and over again. The CPU and memory are exhausted.
Fault Location
- Remotely log in to the ECS where the collection node resides.
- Log in to the ECS console, locate the target server, and click Remote Login in the Operation column to log in to the server. For details, see Login Using VNC.
- If your server has an EIP bound, you can also use a remote management tool, such as PuTTY or Xshell, to log in to the server and install the component controller on the server as user root.
- Run the following command to check the OS running status:
If the following information is displayed, the Java process in the ECS uses a large number of CPU resources.
Figure 3 Status
- Run the following command to view the collector run logs:
According to the logs, the filter (parser) configuration of the current collection channel is incorrect, as shown in the following figure.
Figure 4 Collector run log
- Run the following command to switch to the directory where the collection channel configuration file is stored:
- Run the following command to check whether the filter part is abnormal:
If the information shown in the following figure is displayed, the current filter is abnormal.
Figure 5 Filter exceptions
Solution
- Log in to the SecMaster console and access the target workspace.
- In the navigation pane on the left, choose Settings > Collections. Then, select the Parsers tab.
- Click Edit in the Operation column of the row containing the target parser. On the edit page, delete the incorrect configuration and configure it again.
Figure 6 Configurations of an abnormal parser
Figure 7 Modifying the parser configuration
- Click OK.
- Click the Collection Channels tab, locate the target connection channel, and click Restart in the Operation column.
- Check the status of the collection channel and collection node.
- After the restart is complete, go to the Collection Channels tab and check the health status of the target collection channel.
- Select the Collection Nodes tab. On the page displayed, check the health status of the target collection node.
If the Health Status of the collection channel and collection node is Normal, the fault has been rectified.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
