I've been working at standing up a new environment...Sentinel 7.4.1 with
an RCM and 2 SAM Central Computers. When installing SAM, I initially
ran into some problems getting it to communicate with an external SQL
database, but eventually was able to get the issues resolved and SAM
installed successfully. The installation also successfully created the
3 required databases on the SQL server and the SAM server was able to
successfully send a test message to the RCM over SSL using the generated
certificate. I have also been able to deploy agents from SAM to 3 or 4
different Windows machines. I have not modified the data collection
policies in SAM.

Here's the problem I'm running into:
I can see on the Windows event sources that the agent was installed
successfully and the logs indicate that they have received attributes
from the "Consolidator" and that once the agent is placed in a group, it
will receive its data collection rules, indicating this is common for
newly installed agents. However, even after 2 days of troubleshooting,
this message continues throughout the Application logs. Rules are never
received from SAM and events aren't sent from the host to the SAM server
(from what I can tell by watching the message queue on the SAM server).
Additionally, when doing a 'netstat -an | grep 1590' on the RCM, I see
the port is open and listening, but there are no established connections
and there are no event sources being populated in ESM under the RCM for
any Windows event sources.

I'm not sure what could be causing this issue. I've been unable to find
anything in the logs that indicates an issue sending rules to the agent
and I'm currently at a loss of what to try next. Has anyone run into an
issue like this before or does anyone have any recommendations of what
else to look for? I've confirmed the MSDTC settings on the Central
Computer and the SQL server match and I've confirmed 128-bit encryption
(along with NTLM v2) are enabled in the local gpo referenced at the
bottom of this page: http://tinyurl.com/zonkz7t. I'm thinking there is
something simple I've missed, but can't figure out what it is.

Any assistance would be greatly appreciated.


tyl3r32's Profile: https://forums.netiq.com/member.php?userid=11631
View this thread: https://forums.netiq.com/showthread.php?t=56603