MVISION Cloud Connector Known Issues

The date format doesn't automatically pick the selected Timestamp column from the Map Log Fields in the Log parser when there are multiple date header columns such as Date or Timestamp in the parsed logs. As a workaround, make sure to manually update the correct date format. 

Cloud Connector throws ldapusers cache error after upgrading from 3.9.2 to 5.3.0 and above versions. As a workaround:

1. Delete the ldapusers cache from the Cloud Connector installed directory (leveldb) and restart the Cloud Connector.
2. Use the following curl command to push respective properties to YML with the mentioned payload when switching between rocksdb and leveldb:

Switching to leveldb

{
  "logProcessor":{ "unmatchedtracker.keyValueStoreType":"LEVELDB",
  "ldapusers.cache.type":"LEVELDB","dualmode.storeType":"LEVELDB",
  "tldcache.cache.type":"LEVELDB","ipDomainCache.cache.type":"LEVELDB",
  "blockedURLCache.cache.type":"LEVELDB",
  "ipUserMapperStore.cache.type":"LEVELDB"   },
  "integration": {
    "smtp": {},
    "siem": {},
    "panorama": {},
    "custom_attributes": {},
    "ip_user_mapping": {},
    "syslog": {}
  }
}

Switching to rocksdb

{
  "logProcessor":
  { 
  "unmatchedtracker.keyValueStoreType":"ROCKSDB",
  "ldapusers.cache.type":"ROCKSDB","dualmode.storeType":"ROCKSDB",
  "tldcache.cache.type":"ROCKSDB","ipDomainCache.cache.type":"ROCKSDB",
  "blockedURLCache.cache.type":"ROCKSDB",
  "ipUserMapperStore.cache.type":"ROCKSDB"   },
  "integration": {
    "smtp": {},
    "siem": {},
    "panorama": {},
    "custom_attributes": {},
    "ip_user_mapping": {},
    "syslog": {}
  }
}

RocksDB is not the default cache memory when MVISION Cloud Connector is upgraded from 5.0.1 to 5.3.0 version. As a workaround, you need to explicitly configure levelDB to RocksDB.

AD(Additional Domain Controller) multi-forest feature is NOT supported in MVISION Cloud Connector. However, as a workaround:

1. You need to configure ADCs to send events to root DC (Domain Controller). 

2. You can use the CSV method with MVISION Cloud Connector on each DCs.

The publisher config field under Syslog server configuration settings cannot be saved with empty values.

AD shadow and sanctioned attributes are being removed from YML when upgraded to the latest EC version with one or more mapped values set to null. This issue is fixed.

certificatePull(cp)

In MVISION Cloud Connector when a test connection is made to Active Directory, you will see the exception below. This happens because the main thread that is the web request will end once the 10K users reach the iterator, and the result is returned to UI. This triggers a cancellation to the task directoryUserLoaderFuture.

28 Apr 2020 09:14:00 [WARN ] [Active Directory Import Thread] c.s.e.l.i.ActiveDirectoryUsersFetcher| Received Local Error from LDAP Server, will continue
com.unboundid.ldap.sdk.LDAPSearchException: Search processing was interrupted while waiting for a response from server 172.18.154.17:389.
        at com.unboundid.ldap.sdk.LDAPConnection.search(LDAPConnection.java:3643)
        at com.shn.ec.ldap.impl.ActiveDirectoryUsersFetcher$DirectoryUserLoaderTask.call(ActiveDirectoryUsersFetcher.java:235)
        at com.shn.ec.ldap.impl.ActiveDirectoryUsersFetcher$DirectoryUserLoaderTask.call(ActiveDirectoryUsersFetcher.java:206)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
Caused by: com.unboundid.ldap.sdk.LDAPException: Search processing was interrupted while waiting for a response from server 172.18.154.17:389.
        at com.unboundid.ldap.sdk.SearchRequest.process(SearchRequest.java:1175)
        at com.unboundid.ldap.sdk.LDAPConnection.search(LDAPConnection.java:3633)
        ... 6 common frames omitted
Caused by: java.lang.InterruptedException: null
        at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.reportInterruptAfterWait(AbstractQueuedSynchronizer.java:2014)
        at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.awaitNanos(AbstractQueuedSynchronizer.java:2088)
        at java.util.concurrent.LinkedBlockingQueue.poll(LinkedBlockingQueue.java:467)
        at com.unboundid.ldap.sdk.SearchRequest.process(SearchRequest.java:1164)
        ... 7 common frames omitted

Also, Cloud Connector queries AD for 10,000 users when it goes to the tenant dashboard. This is not the expected behavior. It will be fixed in an upcoming release. 

Due to a security issue, in the MVISION Cloud Connector Web UI, the password field is removed. If you try to connect Cloud Connector using the Web UI, you may see an error message that reads, "Could not authenticate with Skyhigh cloud services. Please check your Skyhigh credentials." This issue is fixed in 5.0.1. 

Cloud Connector was seeing an issue where if you configured SMTP integration advanced properties, such as mail.smtp.auth*, the cloud config was corrupted and CC failed to start or upgrade due to corrupted configs. This issue fixed in 5.0.0. If you see this issue, contact MVISION Cloud Support for assistance. 

Cloud Connector was seeing an issue where the SIEM protocol was set as UDP, but it was changed to TCP on its own, so no logs were received. This issue has been fixed. 

The API used by MVISION Cloud to pull threat protection incidents had an issue that caused it to send duplicate incidents to SIEM. This has been resolved. If you are seeing duplicate incidents:

1. Contact MVISION Cloud Support to set a feature flag.
2. Go to Infrastructure > EC Configuration, and select the SIEM Integration tab. Set the Audit Log Export Type to All Incidents. 
3. Contact MVISION Cloud Support again to disable the feature flag.
4. Set the Audit Log Export Type to New Incidents Only. 

After updating to MVISION Cloud Connector 4.4.x, sometimes the crypt.properties file is not created, which prevents the Syslog service from starting. The Syslog-debug file shows the following exception:

20 Jan 2020 23:54:25 [WARN ] [main] o.s.c.s.ClassPathXmlApplicationContext| 
Exception encountered during context initialization - cancelling refresh 
attempt: org.springframework.beans.factory.BeanInitializationException: 
Could not load properties; nested exception is java.io.FileNotFoundException: 
class path resource [crypt.properties] cannot be opened because it 
does not exist

As a workaround, manually create the crypt.properties file using the following value:

crypt.key=YTgIfyYTwq5iwowwwrHDkjfCjRRAIcOyAFk\=

Then the Syslog service will start and receive data. 

There is a Known Issue with MVISION Cloud Connector 4.3.2 where Syslog over TLS does not work on Windows. To fix this, you must update to the latest version of Cloud Connector using these steps:

1. Stop all running services.
2. Run the Cloud Connector installer to upgrade to the latest version. 
3. Perform the command shnlpcli jksp --newPass xxxx.
4. Start Syslog server first and then Cloud Connector.

When you upgrade MVISION Cloud Connector to 4.2.0 or later, if you have a Panorama integration, you will need to go to Settings > Infrastructure > EC Configuration, click the Panorama tab, and manually modify the Panorama Commit Level value according to the previous configuration. 

If you want to upgrade Panorama settings in MVISION Cloud Connector 4.1.2, contact MVISION Cloud Support. 

When you upgrade MVISION Cloud Connector from 3.9.x to 4.x.x versions, rule-based configurations with complex rules have failed. 

To workaround this issue, add additional backslashes "\'"to skip the special characters in the additional rule config section. Specifically, configure four slashes for a single slash in the additional config preprocessor rule. For example, to configure this, add the extra backslashes as shown:

• Configuration: "{"type":"csv","on":",","trim":"true","escape":"\u0000"}" 
• Configuration with workaround: "{"type":"csv","on":",","trim":"true","escape":"\\\\u0000"}"

When you upgrade an older version of MVISION Cloud Connector (3.9.x) to the latest version of Cloud Connector (4.x) you may encounter install or upgrade failures that are caused by errors regarding the inability to fetch or install certificates. For details see MVISION Cloud Connector Certificate Issues. 

In MVISION Cloud Connector 4.1.2, updating the Log Processor and Integration configurations together may not work properly due to an improper API call. As a workaround, save the configurations separately for each tab.

When you upgrade to MVISION Cloud Connector 4.1.2 from 4.1.0, the SMTP and SIEM configuration may be disabled. We recommended that you reconfigure and Enable the SMTP and SIEM integration from the Dashboard configuration at Settings > Infrastructure > EC Configuration.

For Enterprise Connector 4.1.1, (build 5268) some fonts are missing from the Unix installation. You will see the following error, and then a list of missing fonts.

java.lang.Error: Probable fatal error:No fonts found.

To resolve the issue, reinstall the fonts using the command:

sudo apt-get install fontconfig

Then reinstall EC 4.1.1.

Detokenizing reports for PDF files is currently not working in Enterprise Connector and MVISION Cloud dashboard. Also, multiple worksheets in Excel cannot be detokenized if the group-by option was selected in Report Manager. Both issues are being worked on. The Excel issue will be fixed in the 3.6.1 release. 

After this line:
<logger name="org.springframework" level="WARN" additivity="true"/>

add the following line:
<logger name="com.shn.ec.tokenization.impl.EventTokenizerImpl" level="INFO" additivity="true"/>