Hi,

Recently, my correlation rules fired on events but can't create
correlation events and execute the corresponding action. I could see the
rules firing on the dashboard and "Last fire at" time is updating every
time I refresh the dashboard. I look through Google and found that the
behavior is similar to bug 812522 on Sentinel 7.0.3 while mine is 7.2.

Then I look at the server0.0.log and found a lot of log like this:


Wed Aug 20 10:33:40 HKT 2014|SEVERE|Thread-221|Unknown.unknown
; Exception Task
esecurity.ccs.comp.correlation.EngineResultListene rImpl$RuleAction$1@1f07b957
rejected from java.util.concurrent.ThreadPoolExecutor@1b86b734[Running,
pool size = 8, active threads = 8, queued tasks = 10000, completed tasks
= 3296728]; java.util.concurrent.RejectedExecutionException;
Wed Aug 20 10:33:40 HKT 2014|SEVERE|Thread-221|Unknown.unknown
java.util.concurrent.RejectedExecutionException: Task
esecurity.ccs.comp.correlation.EngineResultListene rImpl$RuleAction$1@1f07b957
rejected from java.util.concurrent.ThreadPoolExecutor@1b86b734[Running,
pool size = 8, active threads = 8, queued tasks = 10000, completed tasks
= 3296728]
at
java.util.concurrent.ThreadPoolExecutor$AbortPolic y.rejectedExecution(ThreadPoolExecutor.java:2048)
at
java.util.concurrent.ThreadPoolExecutor.reject(Thr eadPoolExecutor.java:821)
at
java.util.concurrent.ThreadPoolExecutor.execute(Th readPoolExecutor.java:1372)
at
esecurity.ccs.comp.correlation.EngineResultListene rImpl$3.run(EngineResultListenerImpl.java:212)

OK, my questions are:

1. Is the bug 812522 fixed on 7.2 / 7.3?
2. In the log, queued tasks = 10000, it seems this phenomenon (fire but
no execution) occur when there's a lot of queued task (say 10000). Is
there any relationship between these two things? If yes, is it possible
to clean up the queued task either on the web interface, control centre
or command line interface?
3. Is it possible to view the queued tasks?
4. Other than restarting the whole Sentinel service, is there any other
ways to resolve this issue? (Mine are running HA, therefore I don't want
to restart the server and flap to the backup machine.)

Thanks and regards, and sorry for the big question.
Jack


--
jackcheng
------------------------------------------------------------------------
jackcheng's Profile: https://forums.netiq.com/member.php?userid=1387
View this thread: https://forums.netiq.com/showthread.php?t=51561