Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
246
Views
0
Helpful
2
Replies

SecMon Event Viewer crash after VMS 2.2 upgrade

5mlattimore
Level 1
Level 1

‎08-27-2003 03:42 PM - edited ‎03-09-2019 04:35 AM

I saw a response to a similar issue from Jie but this is NOT IEV but Security Monitor 2.2 Eventer Viewer crashing after VMS 2.2 upgrade.

While there is no CSA 4.0 daemon to stop (per Jies earlier advice) I stoppped the CiscoWorks MC for CSA Agents daemon and still get the following error:

"A serious internal error of unknown origin was detected in the event viewer server. You must reboot your server machine to fix the problem."

I can launch the event viewer if I choose only todays data, but no data appears in the viewer.

Can anyone advise?

thanks

Mike

Labels:
0 Helpful
2 Replies 2

scoclayton
Level 7
Level 7

‎09-12-2003 10:05 AM

Hi Mike,

I noticed that this question had not yet been answered so I thought I would jump in. I would probably need to get some logs from your server to assist and I think this may be beyond the scope of the NetPro forum. So, my suggestion (if you have not already done so) would be to go ahead and open a TAC case for assistance. Sorry I could not be more help here.

Scott

0 Helpful

5mlattimore
Level 1
Level 1
In response to scoclayton

‎09-12-2003 10:28 AM

Hi Scott

I ended up rebuilding everything and figured out that the crashes came from the plethora of alarms generated by msblast, nachi worm. We were seeing 2100, 2152, 3327, 3328 to the tune of 900k per 15 mins! on several different sensors.

sheesh. I wonder what the maximum load is for these guys. the sensors held up but the secmon could not even begin to handle it.

Later after blowing everything out, I tried to increase the secmon preferences to load 250000 alarms into the viewer but it was about a week before I was able to delete all those alarms..200k at a time :(

I wish there was a way to manually prune alarms from the database to avoid this DOS on the SecMon console.

I appreciate your offer of help!

Peace,

Mike

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents