Hi everyone,
I’ve integrated Cisco Umbrella with my SIEM via the S3 bucket, and it initially worked well, with logs being parsed correctly. However, after a while, I started receiving unparsed events.
When I checked the agent.log file, I noticed that the heap size was nearly full, so I performed an aggregation on the connector and increased the heap size from 1GB to 3GB. This fixed the issue temporarily, and logs started coming through properly parsed again.
Unfortunately, after about two weeks, the problem resurfaced, and I’m once again seeing unparsed events. When I checked the heap size this time, I had around 2GB of free space, so it doesn’t seem like a memory issue.
In the agent.out.wrapper.log, I found this error:
INFO | jvm 1 | 2024/11/07 07:42:58 | [Thu Nov 07 07:42:58 CET 2024] [ERROR] [java.lang.Exception: Incorrect format, expected [23] tokens, found [24].
I also noticed that when I reinstall the connector, the logs come through parsed correctly, but only temporarily, which makes me think there might be a configuration issue somewhere along the line.
Has anyone encountered this before, or does anyone have suggestions for a permanent fix?
Thanks in advance for any help!