cscli machines inspect not showing all machine detail in distributed setup
Hey, I am currently trialling a distributed setup. i have a centralised security engine running on a dedicated VM (lets call it server1), then 3 apache webservers with the engine installed doing log parsing and reporting back to the LAPI on Server1.
The first webserver we setup is working perfectly, were seeing tons of alerts and decisions, if i run cscli machines inspect against this machine (server5) i see a ton of acquisition and parser metrics as you would expect for a busy server.
However we then set log parsing up on servers 2 and 6 and are not having the same results. If i run machines inspect against server2 i see the machine overview box with the datasource and collection information (this all looks good), but i have no parser or acquisition boxes. If i check logs and metrics on server2 itself it seems to be working as expected, i can see lots of acquisition and parser detail. Its as if its not making it back to server1 for some reason.
server6 is similar, however i have had a few (less than maybe 20) alerts originating from here showing in the alerts list on server1. When i inspect this one i see acquisition detail box but no parser detail box, but again if i inspect metrics locally on the machine it all looks correct.
I have also compared the config file across all 3 of the log parsers and they are basically identical.
Any suggestions on what i might be doing wrong?
The first webserver we setup is working perfectly, were seeing tons of alerts and decisions, if i run cscli machines inspect against this machine (server5) i see a ton of acquisition and parser metrics as you would expect for a busy server.
However we then set log parsing up on servers 2 and 6 and are not having the same results. If i run machines inspect against server2 i see the machine overview box with the datasource and collection information (this all looks good), but i have no parser or acquisition boxes. If i check logs and metrics on server2 itself it seems to be working as expected, i can see lots of acquisition and parser detail. Its as if its not making it back to server1 for some reason.
server6 is similar, however i have had a few (less than maybe 20) alerts originating from here showing in the alerts list on server1. When i inspect this one i see acquisition detail box but no parser detail box, but again if i inspect metrics locally on the machine it all looks correct.
I have also compared the config file across all 3 of the log parsers and they are basically identical.
Any suggestions on what i might be doing wrong?
