Applies to: Centrify DirectAudit Agent 3.1.x on all platforms
The DirectAudit agent was recently deployed or upgraded to version 3.1.x and the agent is unable to connect to the collector with the following errors in syslog:
auth|security:info dad: INFO <auditbg:run-queue> cda.dad.auditor Issue in despooling data: readNBytes: can't read 16 bytes from buffer at offset: 12. Leaving data in place. DirectAudit will try other collectors. Current collector will be considered again after 15 seconds.
The server running the agent can ping the collector just fine and you may even have some agents in the same site connecting without issue.
There was a recently discovered issue with the local spool where the DirectAudit session data is streamed from the cdash shell. It can get corrupted and it prevents the the agent with corrupt spool from sending the data to the collector.
In order to restore the DirectAudit agent's connection to the collector the spool must be cleared out and the agent restarted. Please do the following steps as sudo or root:
1) Run dastop to stop the DirectAudit agent
2) Rename the spool directory /var/centrifyda/spool-dbqc, as follows:
#mv /var/centrifyda/spool-dbqc /var/centrifyda/spool-dbqc-old
3) Run dastart to start the DirectAudit agent
4) Wait several seconds and run dainfo, it should be able to connect to a collector now
This issue has been resolved in the next release of Centrify DirectAudit Agent (version 3.2) included with Centrify Suite 2014. While a full upgrade is recommended (console, DB, collector, agent) only an agent update is required to resolve the issue.