Troubleshooting Guide

# Blue Vector Troubleshooting Guide

Overview

This guide provides a systematic approach to troubleshooting Blue Vector environments and verifying that all components are operating in a healthy, steady-state condition. The Blue Vector platform consists of collectors that generate events and forward them to a central manager or SIEM, while also producing Zeek logs for centralized analysis and monitoring.

Healthy Environment Characteristics

In a properly functioning Blue Vector environment:

• Collectors actively generate events from network traffic
• Events are forwarded to the central manager or SIEM
• Zeek logs are produced and sent to the SIEM for analysis
• All components communicate properly within the system architecture

Initial System Checks

Before diving into component-specific troubleshooting, perform these basic system verification steps:

1. Physical Hardware Inspection

   • Check the chassis condition
   • Inspect front panel indicator lights for any error states

2. System Management

   • Look for iDRAC errors related to the operating system
   • Confirm the system boots up successfully

3. Network Connectivity

   • Verify network interfaces are active
   • Check connectivity between collectors and central manager

Step-by-Step Troubleshooting Process

Step 1: Verify Zeek Logs

Objective: Confirm that Zeek is actively processing network traffic and generating logs.

Procedure:

1. Log into your Central Manager
2. Open a terminal session on the target collector
3. Execute the following commands:

   bv shell ingest
   

4. Navigate to the Zeek spool logger directory
5. Use the tail command to monitor the connection log:

   tail -f conn.log
   

Expected Results:

• You should see entries for recent network traffic
• Log entries should contain connection details and timestamps

Troubleshooting:

• No traffic appears: This may indicate:
  • Zeek service is not running
  • Ingest interface is not receiving data
  • Network connectivity issues

Step 2: Verify Event Generation

Objective: Confirm that collectors are properly generating events from incoming network data.

Prerequisites: Use a collector that has already been confirmed to receive data successfully (from Step 1).

Procedure:

1. Open the Blue Vector application interface
2. Navigate to the Events tab
3. Review the most recent event timestamps
4. Verify your profile's time zone settings are correct

Expected Results:

• New events should be continuously generated
• Timestamps should reflect recent activity
• Time zone should match your local settings

Troubleshooting:

• Time discrepancies: Verify the collector's NTP settings
• No recent events: Check collector configuration and data ingestion

Step 3: Verify Event Forwarding to Central Manager

Objective: Confirm that events generated by collectors are successfully forwarded to the central manager.

Procedure:

1. Follow the same steps as Step 2, but perform them on the central manager instead of individual collectors
2. Check for recent events in the central manager's Events tab
3. Verify that each collector is properly represented in the event stream

Expected Results:

• Recent events from all collectors should be visible
• Each collector should contribute events to the central manager
• Event flow should be continuous and current

Troubleshooting:

• No recent events in central manager: Contact Blue Vector Support to troubleshoot event forwarding issues
• Missing collector events: Check specific collector connectivity and configuration

Step 4: Verify Event Forwarding to SIEM

Objective: Ensure that events are successfully forwarded from Blue Vector to external SIEM or logging platforms.

Procedure:

1. Coordinate with the end user to check their SIEM or logging platform
2. Ask them to search for Blue Vector events within their system
3. Verify output logging settings in Blue Vector:
   • Click the gear icon in the upper right corner
   • Select Outputs
   • Review configured output options

Available Output Options:

• TCP
• Syslog
• Kafka
• Email
• File upload

Expected Results:

• Events identified in Steps 2 and 3 should appear in the SIEM
• Event forwarding should be timely and complete
• Output configuration should match SIEM requirements

Step 5: Verify Zeek Logs in SIEM

Objective: Confirm that Zeek logs are successfully forwarded to and visible within the SIEM platform.

Procedure:

1. Ask the end user to examine Blue Vector events within their SIEM platform
2. Verify that Zeek log events are present
3. Confirm that log entries match those identified in previous verification steps

Expected Results:

• Zeek logs should be visible in the SIEM
• Log entries should correspond to events from Steps 2 and 3
• Data should be current and complete

Troubleshooting Best Practices

General Approach

• Start with basics: Always begin with fundamental system checks
• Work systematically: Follow the step-by-step process in order
• Verify each component: Ensure each layer is functioning before moving to the next
• Document issues: Keep track of any anomalies or error messages

Common Issues and Solutions

Command Line Reference

# Access Blue Vector ingest shell
bv shell ingest

# Monitor Zeek connection logs
tail -f /path/to/zeek/spool/logger/conn.log

# Check system status
systemctl status [service-name]

# Verify network connectivity
ping [central-manager-ip]
telnet [siem-ip] [port]

Support and Escalation

If troubleshooting steps do not resolve the issue:

1. Document findings from each verification step
2. Collect relevant logs and error messages
3. Contact Blue Vector Support with detailed information
4. Reach out to your account team for additional assistance

Conclusion

Regular verification of these components ensures optimal Blue Vector performance and helps identify issues before they impact security monitoring capabilities. Following this systematic approach will help maintain a healthy, steady-state environment and quickly resolve any operational issues.