External logging in SEPM with Failover configuration

I need a solution

My company has two SEPMs and we’re trying to configure External Logging.  We have the primary SEPM configured to export logs to a dump file and our SIEM agent is ingesting the logs in the dump files. As long as the SEMP in datacenter a is active it writes logs to the *.tmp files in the dump directory.  If the SEPM in datacenter b becomes active, it does not write logs to the *.tmp files in the dump directory.  How do we make sure that whichever SEMP is active write *.tmp files in the dump directory(C:Program Files (x86)SymantecSymantec Endpoint Protection Managerdatadump)?

0

Related:

XenApp/XenDesktop 7.15 LTSR CU2 and CU3: VDA Intermittently Blue Screens With BugCheck Code 0x50

VDA intermittently blue Screens With BugCheck Code 0x50.

Memory Dump Analysis shows:

Process ID [0]

Thread ID [0]

IDENTITY: NonPrimaryClient/NoIdentity.

Executing Processor Architecture is x64.

Debuggee is in Kernel Mode.

Debuggee is a kernel mode dump file.

Event Type: Exception.

Exception Faulting Address: 0xffffe002fa182a3e.

BugCheck Code: 0x50.

Exception Code: 0xC0000005.

Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005).

Exception Sub-Type: Write Access Violation.

Exception Hash (Major/Minor)

Hash Usage : Stack Trace:

Excluded : nt!KeBugCheckEx+0x0

Excluded : nt!MiSystemFault+0x10b2

Excluded : nt!MmAccessFault+0x219

Excluded : nt!KiPageFault+0x317

Major+Minor : wdica!MakeOnePacket+0x424

Major+Minor : wdica!SendSomeData+0xfe

Major+Minor : wdica!FlushManagement+0xf1

Major+Minor : wdica!TerminalChannelWrite+0xb2a

Major+Minor : wdica!WdChannelWrite+0xe

Minor : picadd!_IcaCallSd+0x2ba

Minor : picadd!IcaCallDriver+0x28b

Minor : picadd!IcaWriteChannel+0x724

Minor : PICAVC!PicaWriteVC+0x4a5

Minor : picadm!FileWriteStreamEx+0x43a

Minor : picadm!FileWriteStream+0x17f

Minor : picadm!FileWrite+0x3dc

Minor : picadm!PdmFsdWrite+0x3ce

Minor : picadm!OwWriteFsd+0x1c2

Minor : picadm!WriteMaximumIoSizeChunks+0x5b

Minor : picadm!NonCachedWrite+0x1ef

Minor : picadm!OwCommonWrite+0xada

Minor : picadm!OwFsdWrite+0x264

Minor : mup!MupiBypassMupAndCallUncProviderDirectly+0x36

Minor : mup!MupFsdIrpPassThrough+0xdb

Minor : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x25a

Minor : fltmgr!FltpDispatch+0xb2

Minor : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x25a

Minor : fltmgr!FltpDispatch+0xb2

Excluded : nt!IopSynchronousServiceTail+0x32b

Excluded : nt!NtWriteFile+0x694

Excluded : nt!KiSystemServiceCopyEnd+0x13

Unknown : 0x0000000077e22352

Related:

  • No Related Posts

How to Use Windows Error Reporting (WER) to Capture Application Crash Dumps (User Dumps) On Windows Server 2008 And Windows Vista SP1 Onwards

Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.

This feature is not enabled by default. Enabling the feature requires administrator privileges.

To enable and configure WER to capture and store application crash dumps, add the values to the following registry key:

Key: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsWindows Error ReportingLocalDumps

Name: DumpFolder

Type: REG_EXPAND_SZ

Value: %LOCALAPPDATA%CrashDumps

Name: DumpCount

Type: REG_DWORD

Value: 10 (decimal) This will collect 10 application crash dumps.

Name: DumpType

Type: REG_DWORD

Value: 0x2 (Value 2 is for Full dump)

Note: The preceding settings apply globally to all user-mode applications. Application crash dumps are saved to the DumpFolder location. Service crash dumps are written to service specific profile folders depending on the service account used. For example, the profile folder for Network and Local Services is %WINDIR%ServiceProfiles. For System services, the folder is %WINDIR%System32ConfigSystemProfile.

Related:

3374462: Configure crashkernel memory for kernel core dump analysis

This will make kdump act in a manner similar to the older netdump mechanism: the capture environment will go up to runlevel 3 (where network connectivity is enabled) and will use the secure copy command scp to transfer the kernel core dump to a separate system.


2. for SLES11

add the network device to be used to the variable: KDUMP_NETCONFIG in /etc/sysconfig/kdump.

In order to automatically set up a network device, pass the option “auto”. This is also the default.

For a custom setup, pass a string that contains the network device and the mode (dhcp,static), separated by

a colon, for example: “eth0:static” or “eth1:dhcp”.

If you use “static”, you have to set the IP address with ip=ipspec. ipspec is <client>:<server>:<gateway>:<netmask>:<hostname>:<device>:<proto>

as boot parameter. See mkinitrd(8) for details.

Pass the dumping method and the destination directory to the parameter: KDUMP_SAVEDIR in /etc/sysconfig/kdump

Supported methods are:

FTP, for example “ftp://user:password@host/var/log/dump”

SSH, for example “ssh://user:password@host/var/log/dump”

NFS, for example “nfs://server/export/var/log/dump”

CIFS (SMB) , for example “cifs://user:password@host/share/var/log/dump”

See also: kdump(5) which contains an exact specification for the URL format.

Related:

3374462: Configure kernel core dump capture

This will make kdump act in a manner similar to the older netdump mechanism: the capture environment will go up to runlevel 3 (where network connectivity is enabled) and will use the secure copy command scp to transfer the kernel core dump to a separate system.


2. for SLES11

add the network device to be used to the variable: KDUMP_NETCONFIG in /etc/sysconfig/kdump.

In order to automatically set up a network device, pass the option “auto”. This is also the default.

For a custom setup, pass a string that contains the network device and the mode (dhcp,static), separated by

a colon, for example: “eth0:static” or “eth1:dhcp”.

If you use “static”, you have to set the IP address with ip=ipspec. ipspec is <client>:<server>:<gateway>:<netmask>:<hostname>:<device>:<proto>

as boot parameter. See mkinitrd(8) for details.

Pass the dumping method and the destination directory to the parameter: KDUMP_SAVEDIR in /etc/sysconfig/kdump

Supported methods are:

FTP, for example “ftp://user:password@host/var/log/dump”

SSH, for example “ssh://user:password@host/var/log/dump”

NFS, for example “nfs://server/export/var/log/dump”

CIFS (SMB) , for example “cifs://user:password@host/share/var/log/dump”

See also: kdump(5) which contains an exact specification for the URL format.

Related:

How to Generate NSPPE Core Dump on NetScaler for High Memory issues

This article describes how to generate NSPPE core dump on NetScaler.

Background

When NetScaler, whether standalone or HA pair, runs into memory issues, you would generally generate NSPPE core dump. This triggers the device to restart while dumping the core which would help us with the RCA for high memory usage.

Related:

7004093: How to get a Windows memory dump

If the “Complete memory dump” option is not available:

If the “Complete memory dump” option is removed from the choice list in the later Windows versions, it is because Windows knows that a Complete memory dump isn’t possible. e.g. The amount of physical RAM is more than 2GB, or the page file size isn’t set to the size of physical memory or greater.

The “How to generate a kernel or a complete memory dump file in Windows Server 2008” KB article (http://support.microsoft.com/kb/969028) presents a good deal of information on what’s new and different regarding obtaining a crash dump on Vista/2008, and also covers the “how to manually force a dump” topic too. Although the document describes the possibility of enabling the “Complete” memory dump option even though the machine has over 4GB of memory, due to the issue described of dumps over 4GB potentially being corrupt and the general non-necessity of actually making and uploading a dump of that size, Novell recommends using the “truncatememory or removememory switches in the BCDEdit.exe” approach described in the document.

i.e. From an elevated command prompt (i.e. “Run as administrator”), execute this command:

BCDEDIT.EXE /set {current} truncatememory 0x80000000

to have Windows ignore all the memory above 2GB after the next reboot. Now (after reboot) the “Complete” memory dump option should become available, and the Complete dump generated won’t be larger than 2GB.

To return the machine to its original memory configuration, execute this command:

BCDEDIT.EXE /deletevalue {current} truncatememory

Windows 7 Specific

When attempting to collect a memory dump in connection with a Windows 7 kernel-mode crash, the MEMORY.DMP file may be unexpectedly missing. This may be due to the following Windows 7-specific default behavior:

If there are less than 25GB of disk space free and the machine is not joined to a domain, by default Windows will delete a generated MEMORY.DMP file rather than keeping it. (After Windows reboots and reports the crash to Microsoft via the online crash analysis / Windows Error Reporting.)

If there are more than 25GB, or the machine is joined to a domain (read “corporate environment”), or you’re actually on a Windows Server 2008 R2 (not Windows 7 Ultimate / Professional / Home), the MEMORY.DMP will be retained by default, as it always has in previous versions of Windows.

The Windows 7 default policy can be explicitly overridden by setting the following registry value:

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlCrashControl]

“AlwaysKeepMemoryDump”=dword:00000001


Formerly known as TID# 10084257

Related:

7022954: How to collect JAVA dumps for taskomatic debugging

This document (7022954) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Manager 3

Situation

When debugging taskomatic related issues, a JAVA dump may be useful for further debugging.

Resolution

Please run the command:

kill -3 `ps aux | grep Taskomatic | head -1 | awk ‘{print $2}’`

The core dump file will be saved to /var/crash/javacore.YYYYMMDD.*

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related: