7.8 Troubleshooting

You can perform some basic troubleshooting to ensure that you have successfully configured the search initiator for distributed search. This section lists the most common issues and the probable causes for these issues.

7.8.1 Permission Denied

After doing a distributed search, check the extended status page to view the search status. If the search is not successful, check the following possible causes:

  • The target server administrator might have disabled distributed searching on the target server. To enable distributed search on the target server, see Step 4 in Authorizing a Search Initiator Server.

  • The target server administrator might have disabled the search initiator server for distributed searching. Ensure that the search initiator server is enabled in the target server. Fore more information, see Authorizing a Search Initiator Server.

  • The role that you used for connecting might not have the Search Remote Targets permission.

7.8.2 Connection Down

  • Network issues in your organization.

  • Sentinel Log Manager servers or Sentinel Log Manager services might be down.

  • Connection time-out.

  • The IP address or the port number of the target server has changed, but the search initiator configuration might not be updated.

7.8.3 Unable to View Raw Data

The Proxy group that is assigned to the search initiator might not have the view all events permission to view the raw data.

7.8.4 Problems Adding Search Target

The search initiator server and target server might not be communicating with each other. Ensure that the firewall and NAT are set up properly to allow communication in both directions. Ping both ways to test.

7.8.5 Certain Events Are Only Visible from the Local System

The user who has logged in to the search initiator has one set of permissions on the local data such as view all data, view system events, security filter settings, and so on. The search proxy group has another set of permissions, possibly more restrictive. Therefore, certain types of data, such as raw data, system events, and PCI events might only be returned from the local system and not the target server.

7.8.6 Different Users Might Get Different Results

Different users might have different security filters or other permissions and therefore get different results from a distributed search.

7.8.7 Cannot Set the Admin Role as the Search Proxy Role

This is by design, for security reasons. Because the data viewing rights for the admin are unrestricted, it is not desirable to allow the admin role as the search proxy role.

7.8.8 Error Logs

You can also determine the cause of the search failure by examining the log files on the search initiator server, particularly in the tomcat0.0 log file. For example, one of the following messages might have been logged:

Invalid console host name 
Error sending target request to console host
Error getting certificate for console host 
Authentication credentials in request to opt-in to console were rejected 
Request to opt-in to console was not authorized 
Error sending target request to console host