Perform this set of tasks to verify that the Real User Cloud Probe is capturing traffic as expected. To perform these tasks, you must have access to the system on which the Cloud Probe is deployed.
If you do not have access to the Cloud Probe system, you can validate that the Cloud Probe is capturing traffic by checking the system health, see Monitoring Cloud Probe system health on a Collector.
In the following procedures, the default Windows installation directory is C:\Program Files\BMC Software\, and the default Linux installation directory is /opt/bmc/.
| Troubleshooting task | Steps |
|---|
| Check the Cloud Probe log file for problems with credentials | - Open the installationDirectory/cloudprobe/staging/var/log/epx/epx.log file.
- Look for the following message:
Client error:HTTP POST finished with response code : [401]” - If you found the error, it indicates that the credentials were not accepted. Fix the credentials by modifying the Cloud Probe configuration with the Maintenance Tool.
- Restart the Cloud Probe service.
|
| Check the Cloud Probe log file for error messages | - Open the installationDirectory/cloudprobe/staging/var/log/epx/epx.log file.
- If you have configured SSL keys for traffic decryption, check for the following message:
2014-01-24 02:24:10 info CORE INFO: SSL Keys and/or Hosts accept: GOOD - Check for log messages containing the status
err in the second column. If you find an err message, contact Customer Support.
2014-03-25 13:12:47 err [PROBE-AGENT] Error HTTP POST from: https://172.19.155.208:443/rest/cloudprobeapi/1.0/traffic-filtering-rules?usr=security5
Couldn't resolve host name. Response code : 0
|
| Check the Cloud Probe global statistics file for the presence of network traffic and dropped packets | - Open the installationDirectory/cloudprobe/staging/var/log/epx/epx_global_stats_history_core file. This log file contains one line of statistics for every minute.
- Check the nb_packet_recv_pcap column for the number of packets that were processed by the internal buffer. If this number is always 0, the Cloud Probe is not recognizing any network traffic on the network interface that you configured.
- Check the nb_packet_drop_pcap column for the number of packets that were not processed because the Cloud Probe did not have enough time or resources to keep up. If this column shows a lot of dropped packets, you need to allocate more CPU resources to the Cloud Probe or reduce the amount of network traffic to this system.
The remaining columns further categorize the type of traffic received by the Cloud Probe:
- nb_ip_packet_in = Number of IP packets
- nb_tcp_packet_in = Number of TCP packets
- nb_ssl_rec_total = Number of SSL records
|
| Check the Cloud Probe HTTP statistics file for the correct amount of HTTP traffic being processed | - Open the installationDirectory/cloudprobe/staging/var/log/epx/epx_global_stats_history_http file. This log file contains one line of statistics for every minute.
- Check the nb_hits_processed column for the number of clear-text HTTP and encrypted HTTPS transactions that were processed by Cloud Probe. If this number is always 0, no HTTP or HTTPS traffic is being sent to the web server.
- Check the nb_hits_discarded_sampling column for the number of HTTP and HTTPS transactions that were discarded due to resource limitations to the Cloud Probe service. If this column often contains a nonzero value, contact Customer Support.
- Check the nb_hits_discarded_rate_limit column for the number of HTTP and HTTPS transactions that were discarded due to a rate-limiting license.
- Check the nb_hits_discarded_sweeping column for the number of HTTP and HTTPS transactions that were discarded due to traffic exclusion policies configured on the Collector. You might have configured rules that excluded more traffic than needed.
- Check the nb_hits_discarded_broken column for the number of HTTP and HTTPS transactions that were discarded because the HTTP transaction was incomplete. This condition can be a symptom of general network packet loss in your infrastructure. Your web server might still process these HTTP requests, however.
|
| Check the Cloud Probe SSL decryption statistics file to ensure that website traffic was correctly decrypted. | - Open the installationDirectory/cloudprobe/tmp/epx/epx_ssl_hosts_stats file. This file is updated every minute, so you might need to reopen the file multiple times. Each line represents a web server for which SSL traffic was detected by the Cloud Probe.
- Check for a line containing the web server on which the Cloud Probe is installed. If the web server is not present in the log file, the Cloud Probe might not be capturing traffic on the correct network interface.
- Check the value in the hentry_id column. If the value is 0, the associated web server was not configured with an IP mapping for SSL decryption. It is expected that SSL decryption will fail for that web server.
- Check the last_use_result column for the last SSL decryption status. If the value is always
FAIL, you might have provided the wrong SSL key to the Cloud Probe. The keyname_used column indicates which key file was used when a successful decryption was performed.
|
Cloud Probe log files
Configuring Cloud Probe SSL keys and settings for traffic decryption
SSL CFG ERROR issued for incorrect Cloud Probe SSL key configuration
2 Comments
Bao Phac Do
Harihara Subramanian