4+ Shadow.log pending alerts after filter 3.0 patch


This article applies to:

  • R3000 3.0+  

Symptoms:

  • After patching the R3000 filter to version 3.0 or above, alert emails start to arrive each hour stating that you have 4+ shadow.logs pending.

Causes:

  • During the patch process, the filter is sometimes unable to properly recognize the version of the Enterprise Reporter that it is set to send its logs to.  This causes the filter to send its logs with an incorrect protocol, which in turn causes the log transfer process some problems.

Resolution:

In most cases, this can be resolved by forcing the filter(s) to re-detect the version of the reporter.  This can be done by going into the filter GUI.  From there, go to Reporting -> Shadow log format.  Set the format as one of the manual options if it is not already, and apply settings.  Then, change this setting to auto-detect and apply settings again.  This should force the filter to find the reporter's actual version and use the correct transfer protocol in the future. 


Last Modified 4/29/2010.
https://support.trustwave.com/kb/KnowledgebaseArticle13020.aspx