Troubleshooting on

Policy and Key Audit logs

Mon, 01 Jan 0001 00:00:00 +0000

The policy audit logs generated for policy-related operations are sent to ESA. You can view them in Discover. Log in to the ESA, navigating to Audit Store > Dashboard > Open in new tab. Select Discover from the menu and select a time period such as Last 30 days.

Note:

The policy and key audit log codes are similar to the previous version.

The log descriptions in v10.2.0 are revised for policy and key audits. These changes may impact automated systems, alerts, and parsing logic in production environments. We recommend to review and update any dependent tools or queries.

event_status Field

In the ESA v10.2.0, a new field event_status has been introduced for all policy and key related audits. This field captures the outcome of each policy operation:

Known issues for the Audit Store

Mon, 01 Jan 0001 00:00:00 +0000

Known Issue: The Audit Store node security remains uninitialized and the message Audit Store Security is not initialized. appears on the Audit Store Cluster Management page.

Resolution:

Run the following steps to resolve the issue.
1. From the ESA Web UI, navigate to System > Services > Audit Store.
2. Ensure that the Audit Store Repository service is running.
3. Open the ESA CLI.
4. Navigate to Tools.
5. Run Apply Audit Store Security Configs.
Known Issue: Logs sent to the Audit Store do not get saved and errors might be displayed.

Known Issues for the td-agent

Mon, 01 Jan 0001 00:00:00 +0000

Known Issue: The Buffer overflow error appears in the /var/log/td-agent/td-agent.log file.

Description: When the total size of the files in td-agent buffer /opt/protegrity/td-agent/es_buffer directory reaches the default maximum limit of 64 GB, then the Buffer overflow error appears.

Resolution:

Add the total_limit_size parameter to increase the buffer limit in the OUTPUT.conf file using the following steps.
1. Log in to the ESA Web UI.
2. Navigate to System > Services.
3. Under Misc, stop the td-agent service.

Known Issues for Protegrity Analytics

Mon, 01 Jan 0001 00:00:00 +0000

Known Issue: Client side validation is missing on the Join an existing Audit Store Cluster page.

Issue:

Log in to the ESA Web UI and navigate to the Audit Store > Cluster Management > Overview page >Join Cluster. When you specify an invalid IP, enter a username or password more than the 36-character limit that is accepted on the Appliance, and click Join Cluster, then no errors are displayed and the request is processed.

Known Issues for the Log Forwarder

Mon, 01 Jan 0001 00:00:00 +0000

Known Issue: The Protector is unable to reconnect to a Log Forwarder after it is restarted.

Description: This issue occurs whenever you have a Proxy server between a Protector and a Log Forwarder. When the Log Forwarder is stopped, the connection between the Protector and the Proxy server is still open, even though the connection between the Proxy server and the Log Forwarder is closed. As a result, the Protector continues sending audit files to the Proxy server. This results in loss of the audit files. Whenever the Log Forwarder is restarted, the Protector is unable to reconnect to the Log Forwarder.