Eventia headache

[gfont96]

Hello,

I have Eventia Reporter running on a win2k3 Smartcentre Server (full thing, not the add-on).

It has started whining about the consolidator session. Deleting it and creating a new one fails. The following is in the lc_rt.log file

[1 Oct 9:11:29][] Got message: [START]
[1 Oct 9:13:01][] Got message: [EXIT_MESSAGE]
[1 Oct 9:18:28][LogConsolidator] ### LEA end reason:END_BY_APPLICATION (LEA Session was closed by the application)

[1 Oct 9:18:28][LogConsolidator] ### log_consolidator -L exit ok (code 0)

[1 Oct 9:19:11][LogConsolidator] ### Deleting connections of uncompleted log processing...

[1 Oct 9:19:11][LogConsolidator] ### Total rows deleted: 0

[1 Oct 9:19:11][LogConsolidator] Error:failed to add Acrobat Reader CSRF vulnerability inter_name (with inter_code 139) to ATTACK_INFO InterCodeHashTable

[1 Oct 9:19:11][LogConsolidator] Error: failed to run log_consolidator -R

[1 Oct 9:19:13][LogConsolidator] Aborted
[1 Oct 9:19:13][LogConsolidator] An error has occurred in the Log Consolidator.
View the file $RTDIR/log_consolidator_engine/log/<log server ip>/lc_rt.log.
Note that once the problem is fixed, you must restart the Log Consolidator service.
[1 Oct 9:21:19][] Got message: [EXIT_MESSAGE]

I have

a) unticked the Adobe Acrobat vuln in WebIntelligence
b) pushed policy but still get the same error.
c) stop reporter services then b). Started services
d) did cpstop - cpstart

I have seen as SK that says to do pretty much what I have done, other than it says delete all log files (can I delete fw.log, don't really want to)

Is there a way I can trash the existing database and start again from fresh, without an install.

My colleague admitted to deleting old log files to reclaim disk space (loads of it) without stoping consolidator session or reporter services. As punishemnt she had to drink 3 sambucas in quick succession.

Any ideas

gfont96

[lodown]

More than likely it's a problem with adding the particular vulnerability listed below:

[1 Oct 9:19:11][LogConsolidator] Error:failed to add Acrobat Reader CSRF vulnerability inter_name (with inter_code 139) to ATTACK_INFO InterCodeHashTable

I had a similar problem with something else in Smartdefense, and Checkpoint was able to provide a fix that cleared the problem from the necessary table.

lodown