Troubleshoot the GMT Beat

Common Error Message

You may receive an error like this one:

2020-03-20T12:36:09.762Z        ERROR beater/gmailmessagetracking.go:235      Not found: Dataset gmtlogsautomation:gmal_logs_7_days was not found in location US

If you see this error, cross-verify the dataset you are using. This is likely due to a misspelled dataset name.

No Error Logs and No Data

Run the following command sequence to run the beat in debug mode:

1. ./lrctl gmtb config export --outfile gmtbconfig.yml
2. vim gmtbconfig.yml
3. Change "logging.level: info" it to logging.level: debug and save it.
4. cat gmtbconfig.yml | ./lrctl gmtb config import
   
5. rm gmtbconfig.yml
   
6. ./lrctl gmtb restart

7. ./lrctl gmtb logs

Logs will start coming in. Check for the following error:

Error: beater/gmailmessagetracking.go:238      Not found: Project gmtlogsautomation-test         

If you see this error, verify that the dataset you are using is in the project ID you have used for GMT Beat configuration.

I Do Not See Data Older Than Seven Days

By default, only data from the past seven days is visible from the beat. If you want to see older data, the number of days can be increased up to 180 days by running the following command sequence:

1. ./lrctl gmtb config export --outfile gmtbconfig.yml
2. vim gmtbconfig.yml
3. Change "numbackdaysData: 7" to numbackdaysData: 180 and save it.
4. cat gmtbconfig.yml | ./lrctl gmtb config import
   
5. rm gmtbconfig.yml
   
6. ./lrctl gmtb restart
   
7. ./lrctl gmtb logs
   

If you still do not see logs, contact LogRhythm Customer Support.

Other Problems

Ensure that the following table and schema information has not changed.

• The daily_ table is present by default. Do not delete this table.
• daily_20200319 is a general pattern for every table according to the date/time (for example, daily_yyyymmdd).
• The schema of the table is highly specific. Do not change it. For more information about the table schema, see https://support.google.com/a/answer/7230050.