I had something very strange happen a while ago.
The SQL logins/users used by two EC's (lets' call them EC_A and EC_B)
effectively lost their rights in RealsecureDB. At the time, the database
was not full, the disk had plenty of space, none of the maintenance jobs
were running etc. The environment is RSSP 2.0 / SP4 and SQL Server 2K on
W2K and has been stable for ~1 year.
The obvious symptom was that, more or less simultaenously, both EC's
stopped forwarding events to the database. Further investigation
revealed that both EC's *authenticated* properly to the SQL Server
(verified by Profiler), but disconnected after a short while. Also, both
EC's logged emtrace.txt messages like these on each retry:
--snip---
CMainLoadTbl::SetWorkingSpaceFromDB retcode:0 state:42000
MessageText:[Microsoft][ODBC SQL Server Driver][SQL Server]SELECT
permission denied on object 'stg_AlertData1', database 'RealSecureDB',
owner 'dbo'.
CMainLoadTbl::SetWorkingSpaceFromDB Error retrieving WorkingSpace# from
DB.
CBulkCopyTbl::InsertRow Could not insert row - bcp_sendrow reported an
error - RealSecureDB..
CMainLoadTbl::StoreEvent Could not load event into database.
CEventSourceDbCallback Database Error on Store request for an event from
Event Source network_sensor_1@X.X.X.X: The Event Database: the event
loader is busy. [ID=0xc7390021]
CEventStreamManager Fatal error! The Event Collector cannot connect to
the database or there is a database error: The Event Collector must
shutdown its connection to the database and the sensors in order to
prevent events from getting lost. This could be due to a
misconfiguration of the Event Collector, network communication problems,
or a problem with the database itself (e.g. database full).
[ID=0xc734002f]
CMainLoadTbl::SetWorkingSpaceFromDB retcode:0 state:42000
MessageText:[Microsoft][ODBC SQL Server Driver][SQL Server]SELECT
permission denied on object 'stg_AlertData1', database 'RealSecureDB',
owner 'dbo'.
CMainLoadTbl::SetWorkingSpaceFromDB Error retrieving WorkingSpace# from
DB.
CBulkCopyTbl::InsertRow Could not insert row - bcp_sendrow reported an
error - RealSecureDB..
T:0b88 CMainLoadTbl::StoreEvent Could not load event into database.
--snip---
Stopping/starting the EC or issDaemon was predictably ineffective.
Rather than attempting to fix rights on existing logins/users I went for
removal/reinstall, which solved the problem as this implicitly creates
new SQL logins/users. I have no idea what actually caused the problem
though - this occurred and at 5 am when system load is minimal and no
staff around.
Ideas welcome.
Cheers,
Robert
_______________________________________________
ISSForum mailing list
ISSForum@iss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforum@iss.net
The ISSForum mailing list is hosted and managed by Internet Security Systems,
6303 Barfield Road, Atlanta, Georgia, USA 30328.
