Imperva Cyber Community

  • 1.  DRA failed to send events to report server

    Posted 10-25-2021 09:55
    Dear
    I configuration DRA send events to Reporting Server(Sonar) as 《v4.1_data_risk_analytics_user_guide_9-7-2021》 page 103,but there is a error "Syslog messages could not be sent to xx.xx.xx.xx port 10674 using tcp. pls check network setting". and I also try to do a test on cli,still failed to send events to sonar,error info as following:
    [root@localhost ~]# cbctl adminserver send-historical-incidents-to-reporting-server
    Starting with preparations...
    Looking for reporting server configuration...
    Reporting server configuration was found. Reporting Server IP address/Host:78.1.9.12
    If you want to continue, type y. If you want to change the reporting server IP address/Host, type n and change the IP address/Host via the UI (System --> Notification and Reporting --> Reporting Server)
    Do you want to continue? [y/n]: y
    send-historical-incidents-to-reporting-server started...
    This can take a while depending on the amount of existing incidents. Please do not perform any other operations.
    If you want to stop the process before it is done, please perform cbctl restart after you stopped the process.
    Sending the incidents to 78.1.9.12 10674 failed. The reason Connection refused (Connection refused)

    Anyone provide some clues to help me solve this problem,thanks!
    Notes:

            1).DRA and sonar are on the same network segment
            2).There are no any policy restriction communication between DRA and sonar
            3).sonar version 4.3.b,DRA version 4.1
           

    #jSonar

    ------------------------------
    jeff gao
    security Engineer
    Shanghai�SHNetworks Technology Co.,Ltd.
    Shanghai
    ------------------------------


  • 2.  RE: DRA failed to send events to report server

    Community Manager
    Posted 10-26-2021 14:21
    Hi Jeff,

    I chatted with some of our Engineers and the advised the following:

    Integrating DRA with Sonar requires port enablement via the command line interface of the Sonar machine, as described below:

    Integrating DRA with Sonar requires port enablement via the command line interface of the Sonar machine

    You can see the full article here:

     http://dcapdocs.jsonar.com/latest/en/integration-with-imperva-data-risk-analytics.html

    I hope this helps.

    Thanks,

    Sarah



    ------------------------------
    Sarah Lamont(csp)
    Digital Community Manager
    ------------------------------



  • 3.  RE: DRA failed to send events to report server

    Posted 10-26-2021 22:24
    Hi Sarah
        Thanks for your reply
          I try to follow the steps above,but prompt error:
    [root@Jsonar ~]# cp $JSONAR_BASEDIR/etc/rsyslog.d/sonar/gateway/rulesets/imperva_dr_incidents.conf $JSONAR_LOCALDIR/gateway/rsyslog.d
    cp: cannot stat '/etc/rsyslog.d/sonar/gateway/rulesets/imperva_dr_incidents.conf': No such file or directory

    I try to find imperva_dr_incidents.conf file with "find / -name imperva_dr_incidents.conf",but i can not find it,there is no this file.


    ------------------------------
    jeff Gao
    security Engineer
    shnetworks
    Shanghai
    ------------------------------



  • 4.  RE: DRA failed to send events to report server

    Posted 26 days ago
    Anyone can help,thanks!

    ------------------------------
    jeff Gao
    security Engineer
    shnetworks
    Shanghai
    ------------------------------



  • 5.  RE: DRA failed to send events to report server

    Community Manager
    Posted 16 days ago

    Hi Jeff,

    Apologies for the delay. I spoke to the team and was advised the following...

    The reason this command isn't working for the user: 

    [root@Jsonar ~]# cp $JSONAR_BASEDIR/etc/rsyslog.d/sonar/gateway/rulesets/imperva_dr_incidents.conf $JSONAR_LOCALDIR/gateway/rsyslog.d
    cp: cannot stat '/etc/rsyslog.d/sonar/gateway/rulesets/imperva_dr_incidents.conf': No such file or directory 

    Is because they first need to source the environment file that defines the variables $JSONAR_BASEDIR, $JSONAR_LOCALDIR, etc.
    If they run the following command before the copy, it should work: 

    source /etc/sysconfig/jsonar 

    They should also restart the sonarrsyslog service to get the Sonar machine listening on the port: 

    sudo systemctl restart sonarrsyslog

    I hope this helps.

    THanks,

    Sarah



    ------------------------------
    Sarah Lamont(csp)
    Digital Community Manager
    ------------------------------



  • 6.  RE: DRA failed to send events to report server

    Posted 2 days ago
    Hi Sarah

    Thanks for your reply!
    There is no correlation with environmental variables,because i can not find imperva_dr_incidents.conf file.


    ------------------------------
    jeff Gao
    security Engineer
    shnetworks
    Shanghai
    ------------------------------