Troubleshoot the GMT Beat
Common Error Message
You may receive an error like this one:
2020-03-20T12:36:09.762Z ERROR beater/gmailmessagetracking.go:235 Not found: Dataset gmtlogsautomation:gmal_logs_7_days was not found in location US
If you see this error, cross-verify the dataset you are using. This is likely due to a misspelled dataset name.
No Error Logs and No Data
Run the following command sequence to run the beat in debug mode:
- ./lrctl gmtb config export --outfile gmtbconfig.yml
- vim gmtbconfig.yml
- Change "logging.level: info" it to logging.level: debug and save it.
- cat gmtbconfig.yml | ./lrctl gmtb config import
- rm gmtbconfig.yml
- ./lrctl gmtb restart
./lrctl gmtb logs view
Logs will start coming in. Check for the following error:
Error: beater/gmailmessagetracking.go:238 Not found: Project gmtlogsautomation-test
If you see this error, verify that the dataset you are using is in the project ID you have used for GMT Beat configuration.
I Do Not See Data Older Than Seven Days
By default, only data from the past seven days is visible from the beat. If you want to see older data, the number of days can be increased up to 180 days by running the following command sequence:
- ./lrctl gmtb config export --outfile gmtbconfig.yml
- vim gmtbconfig.yml
- Change "numbackdaysData: 7" to numbackdaysData: 180 and save it.
- cat gmtbconfig.yml | ./lrctl gmtb config import
- rm gmtbconfig.yml
- ./lrctl gmtb restart
- ./lrctl gmtb logs
If you still do not see logs, contact LogRhythm Customer Support.
Other Problems
Ensure that the following table and schema information has not changed.
- The daily_ table is present by default. Do not delete this table.
- daily_20200319 is a general pattern for every table according to the date/time (for example, daily_yyyymmdd).
- The schema of the table is highly specific. Do not change it. For more information about the table schema, see https://support.google.com/a/answer/7230050.