BluSapphire
  • 01_Introduction
  • 02_Unified Cyber Defense Platform
  • 03_The Stack
  • 04_Features and capabilities
  • 05_Operations
  • 06_Architecture
    • Architecture - Version 3
    • Architecture - Version 4
  • 07_Integration
    • Cisco pxGrid Integration
    • Threat Intel Sources
  • 08_Use cases
    • SIGMA Rules
      • SIGMA Detection Attributes
      • Understanding SIGMA Rule
      • Creating SIGMA Rule
  • 09_CaseHub
    • Events
    • Cases
      • Case-Templates
    • Event-Rules
    • Reflex Query Language (RQL)
    • Input Configuration
      • Credentials
      • Agents
      • Field Templates
  • 10_Active-Defense-Services
    • Services (ADS - LIADS)
      • Network Services
      • Database Services
      • Web-Apps
    • Tokens (ADS - Tokens)
  • 11_Data-Pipeline-Manager (DPM)
    • Basic Concepts
    • Getting Started
  • 12_Deployment / Log Forwarding
    • Log Forwarding (on-prem) - How To
      • Fortimanager
      • Fortinet
      • Cisco ASA with FirePOWER services
      • Cisco ASA
      • Cisco VPN 3000 Concentrator
      • Cisco IOS Switch
      • Cisco ASA using ASDM
      • Cisco Router
      • Cisco Sourcefire
      • Cisco Ironport
      • Cisco Nexus Switch
      • Cisco VPN Concentrator
      • NetScreen Firewall
        • Configure/Enable Syslog Messages for Netscreen Firewall device using CLI Console:
      • Palo Alto Firewalls
        • Configure Syslog Monitoring
        • Configure a Syslog server profile
        • Create a log forwarding profile
        • Configure security policy rule action as log forwarding
        • Configure syslog forwarding for System, Config, HIP Match, and Correlation logs
      • Juniper
        • Using J-Web
        • Using CLI
        • Using J-Web
        • Using CLI
        • Configuring to send Syslog Messages directly from Sensor
      • Sonicwall
        • Configuring SonicWALL To Direct Log Streams
        • Configuring SonicWALL Logging Level
      • Checkpoint
        • R80.20
        • R80.10
        • R77.30
      • Blue Coat Proxy Logs
        • To Forward Blue Coat Logs Using Web Interface
        • To Forward Blue Coat Proxy Logs Using CLI
      • Tipping Point
      • FireEye
        • To Forward Fireeye NX Alert Logs
      • UBUNTU
      • CENTOS-RHEL
      • Citrix Access Gateway
      • SYMANTEC AV
      • DarkTrace
      • Nutanix
      • SAP
      • Cisco Meraki Firewall
      • Zoho Vault Integration
      • Zoho Analytics Integration
      • Sophos EDR Integration
      • PowerDMARC Integration
      • Perception Point Integration
      • MS Intune Integration
      • AWS-Cloudtrail & AWS-Cloudwatch integration
      • Dell PowerEdge Log Integration
      • HPE ProLiant DX380 Gen10 Log Integration
      • Lenovo ThinkSystem SR650 Log Integration
      • Aruba-3810M-L3 Switch
      • Cisco HX220C-M5SX Log Integration
      • Aruba-6200F-48-Access Switch
      • Brocade & Ruckus Switch Log Integration
      • Cavera L2 Switch Log Integration
      • CentOS & RHEL Log Integration
      • Cisco L2 Switch Log Integration
      • Cisco L3 Switch Log Integration
      • Dell EMC Switch Log Integration
      • Dell Powervault ME4 & ME5 Series Log Integration
      • HCI_CISCO_HX 240C_M5SX_CIMS(Intersight)
      • IBM AIX Log Integration
      • IBM Storwize Log Integration
      • Lenovo L2 Switch Log Integration
      • Lenovo Think System Storage Log Integration
      • lenovo_think_system_manager_851
      • Netgear M4300 Switch Log Integration
      • Net Gear Ready NAS 314 & Net Gear Ready NAS 428
      • qnap storage log integration
      • Ruckus SmartZone 100 Wi-Fi Controller Log Integration
      • Seqrite Endpoint Security 7.6 Log Integration
      • Suse log integration
      • Ubuntu log integration
      • Vcenter log integration
      • Microsoft SQL DB integration
      • Vios log integration
      • Cisco SF/SG 200 & 300 Series Switches
      • oracle db integration
      • lenovo thinksystem storage
      • F5 BIG-IP Load Balancer (11.x - 17.x)
      • Seqrite 76
      • Seqrite 82
      • Aruba switch log integration
      • Windows FIM
        • FIM Integration with GPO
        • FIM Integration without GPO
      • Sophos Firewall
        • Sophos XG Firewalls Syslog
          • Netflow Configuration To Verify
      • SAP
      • Integrating Forcepoint Web Proxy (or) Email Security
      • MicroAgent - Winlogbeat & Sysmon
        • Deploy Micro-Agent/Sysmon via GPO
        • MicroAgent manual installation
      • Microsoft’s IIS Integration
      • vios log integration
      • aruba switch log integration
      • oracle db integration
      • Cisco SF/SG 200 & 300 Series Switches
      • microsoft sql db integration
      • seqrite 82
      • seqrite 76
      • List of Supported Log Sources
        • 17.x)
    • Cloud Log Forwarding
      • Azure Sentinel
      • AWS Cloud Logs
        • Collecting CloudWatch Logs
        • Collecting Cloudtrail Logs
      • Configuring Mimecast for Log Collection via API
      • Cisco Umbrella
      • Cisco Duo
      • Cisco AMP
      • Cisco CES
      • SOPHOS AV
      • CROWDSTRIKE
      • Microsoft Defender ATP
        • Enable SIEM integration in Microsoft Defender ATP
        • Assign permissions to the WindowsDefenderATPSiemConnector application
    • BluArmour Pre-Deployment Checklist & Roll out Process
    • Deploy BluArmour via SCCM
    • BluGenie GPO for Service Account, WinRM and WMI
    • Mirror / SPAN port configuration
    • Average LogSize by LogSource
    • Windows Package Installation
    • Linux Package Installation
  • 13_MITRE ATT&CK
    • MITRE ATT&CK Coverage by Tactic
    • MITRE ATT&CK Coverage by Technique
    • Rules mapping - MITRE ATT&CK
  • 14_BluArmour Endpoint Protection
    • BluArmour For ICS / AirGapped Networks
  • 15_BluGenie
    • Manual
    • How To Guides
      • BluGenie Intro
      • How To Run
      • How to Use Help
      • Running Localhost & Remote commands
      • Get-BluGenieChildItemList
      • Invoke-BluGenieYara
    • Enable-BluGenieWinRMoverWMI
  • 16_Best Practices
    • Windows Logging Recommendations
      • Windows Security Log recommendations
      • Windows General Log Recommendations
      • Windows Advanced Auditing Recommendations
    • Lateral Movement Logging Recommendations
    • Best Data Sources for Detection
    • Cloud Incident Readiness
  • 17_Threat Hunt
  • 18_Taxonomy
    • Categories
    • Web Security Gateway
    • Cloud AWS
    • Windows
    • Linux
    • Endpoint Detection
    • NGFW (Firewalls)
    • Email Gateway Security
    • Network Access Control
    • Auth (IDAM)
    • Alert Data
    • Web Security Gateway
    • Endpoint Protection
    • DHCP
    • Cloud AWS
    • Wireless Access Controllers
    • Windows
    • Load Balancers (LB)
    • Linux
    • Active Defence (Deception)
  • 19_Product Videos
  • 20_M-SOC_Self Service Portal
    • Registering as a Customer (Regulated Entity)
    • Digital Contract Signing Process
      • RACI Matrix
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux Package Installation
    • RPM Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Incident Management Workflow(M-SOC only)
    • Troubleshooting Installs
    • MACOS Package Installation
  • Customer Self Service Portal
    • Registering as a Customer
    • Registering as a Partner
    • Digital Contract Signing Process
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux deb Package Installation
    • Linux rpm Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Troubleshooting Installs
  • Appendix A
  • 21_Incident Response
    • Cloud Incident Readiness
Powered by GitBook
On this page
  1. 20_M-SOC_Self Service Portal

Troubleshooting Installs

Easy Troubleshooting Page for Agent Install Failures.

PreviousIncident Management Workflow(M-SOC only)NextMACOS Package Installation

Last updated 1 month ago

BluLogShipper Install Errors

#1. Error: TLS Verification Error (Resolved)

If you encounter the above "TLS Verification Error", it is often associated with the below causes:

Cause: The System is not up-to-date on patches OR it hasn't been patched in a very long time. This results in the system not having updated TLS root certificates in its certificate authority store.

Resolution 1: Please update your system to the latest updates available.

Resolution 2: If TLS issue is not resolved. Here are the steps to fix it:

  1. Open the following link in a browser:

  2. Copy the key.

  3. Save it as a .pem file on your system.

  4. Move the .pem file to the conf folder.

  5. Edit the fluent-bit configuration.

  6. Add the following script to the output section: tls: on tls.verify: true tls.ca_file: <path of the .pem file>/.pem

  7. Ensure that the path uses forward slashes (/).

  8. Then restart the service now

Cause: Your systems is out of support and is no longer supported by the vendor.

Resolution: Please upgrade to the latest version of the Operating System (OS) at the earliest. This is considered a severe risk by CSCRF. When your operating system is out of support, security patches are no longer provided by the vendor. Hence, this qualifies as a severe risk and shall be represented as such to the exchange.

Cause: Your system Date and time are not synchronised to a radio clock / time server on the internet and/or is not up to date.

Resolution: Good security practices require that your system should always be in sync with network time servers. There are many reliable time servers on the internet. Please ensure your system is synced.

Cause: TLS version mismatch.

Resolution: This again happens if you system is out of support by the vendor and/or not updated in a long time. TLS 1.3 has been a standard for over at least 3yrs now. Please upgrade.


#2. Error: Windows Event and Message Fields Are Missing (Resolved)

Cause: This issue typically arises on older versions of Windows (2016 or older). The root cause is a character set mismatch in Fluent Bit, which defaults to Unicode, while older versions of Windows use ANSI.

Resolution:

  • Update the Use_ANSI flag in every input section to True.

  • Restart the service.


#3. Error: Input Channel for Windows Defender Operational Is Not Present on Windows Server 2012 R2, Leading to Unexpected Service Termination

Cause: Fluent Bit is unable to find the log locations for Windows Defender Operational logs.

Resolution:

  • Remove the input log source for Windows Defender Operational logs.

  • This is a temporary solution that allows the service to work with limited input.


#4. Error: Unable to Install BluLogShipper Due to GLIBC Version Being Lower Than Required

Cause: This issue is caused by an unsupported version of the GNU C Library (GLIBC) for C library-based applications.

Resolution:

  • BluLogShipper supports systems with GLIBC version 2.27 or higher.

  • If the customer needs an older version, refer to the BluLogShipper build documentation and build it in an environment with the required or older GLIBC version.


#5. Error: Unable to Install BluLogShipper from Non-C:\ Drives

Cause: This error occurs when the installer is launched from a file path other than the "C:" drive on Windows. The installer is unable to copy configuration and credential files from another drive to C:\Program Files\BluLogShipper\conf, causing the installation to terminate.

Resolution:

  • Install BluLogShipper from a child directory of the C:\ drive.


#6. Error: Timeout While Performing a DNS Call

Cause: For some clients, the DNS server is set by the service provider, which can lead to errors. Please check your local DNS resolution.

Resolution:

  • If you do not receive any support from your local DNS provider (usually your ISP), then try changing the DNS server address to a public secure DNS server like below:

Google

8.8.8.8

8.8.4.4

Fast, globally distributed, minimal logging

Cloudflare

1.1.1.1

1.0.0.1

Privacy-focused, no logging, fast

Quad9

9.9.9.9

149.112.112.112

Security-first: blocks malicious domains

OpenDNS

208.67.222.222

208.67.220.220

Offers filtering and parental control

.

  • Carefully verify the DNS configuration to resolve these issues.

https://www.amazontrust.com/repository/AmazonRootCA1.pem