Knowledge Search


×
 

Security Director stops seeing JSA as a log collector

  [KB34099] Show Article Properties


Summary:

This article describes a scenario where Security Director no longer sees Juniper Secure Analytics (JSA) as a Log Collector. Thus, no logs are seen coming in. This occurs when the JSA administrator change the self signed certs on the JSA without notifying the Junos Space / Security Director administrator.

Symptoms:
There are no logs in the Security Director and JSA does not display as a Log Collector.

Environment:

  • Space Network Management Platform 18.2R1
  • Security Director 18.2R1
  • Juniper Secure Aanalytics 7.3.1
  • JSA 10.85.221.94

The JSA administrator changed the self signed certs on the JSA without notifying the Junos Space / Security Director administrator. As a result, the Security Director stops displaying logs in  Monitor > Events & Logs > All. Events and the log collector will not show up in Administration > Logging Management > Logging Nodes .

From the server.log:

2019-03-29 15:07:39,624 ERROR [org.jboss.as.ejb3.invocation] (ajp-space-0050569e8336/10.85.221.86:8009-10) JBAS014134: EJB Invocation failed on component jnap.ecm.LogCollectorManagerEJB for method public abstract net.juniper.jmp.PagingResult net.juniper.jnap.ecm.logcollector.api.LogCollectorManager.getPagedLogCollectorNodes(net.juniper.jmp.PagingContext) throws net.juniper.jnap.ecm.exception.ECMException: javax.ejb.EJBException: net.juniper.jnap.ecm.exception.ECMException: Connect to 10.85.221.94:443 [/10.85.221.94] failed: Connection refused (Connection refused)

In the Security Director interface where the JSA previously showed up as a log collector, a spinning wheel is seen:

 

Cause:

The administrator of the JSA changed the default self signed cert on the JSA. The Security Director still has the old cert which is no longer valid. It can no longer connect to the JSA and run it's AQL queries against the JSA.  

Solution:
  1. Confirm with the JSA administrator if the self-signed certificate on the JSA has been changed. If so, run the following commands on the Junos Space node:

    [root@space-0050569e8336 server1]# mysql -u jboss -p$(grep mysql.jboss /etc/sysconfig/JunosSpace/pwd | awk -F= '{print $2}') ecm_db;
    mysql> delete from LogCollectorNode;
    Query OK, 1 row affected (0.00 sec)
    
    mysql> delete from LogCollectorCredential;
    Query OK, 1 row affected (0.00 sec)
    
    mysql>\q
  2. In the Security Directory interface, go to:

    Administration > Logging Management > Logging Nodes  

  3. Re-add the JSA as a logging node using the admin/password and IP address of JSA. These values have not changed. 

Related Links: