In a situation where SPS is setup with a content policy for SSH that is configured to alert based on a credit card rule, In a certain case when an audit trail has data with matched content that is larger than a limit of 32kb, this causes the pam-pipeline.service to fail and the following error can be found in the logs:
[Time Stamp] [SPS.Appliance.Hostname] paa-pipeline[3970963]: ERROR c.b.pam.pipeline.storage.PublisherActor Critical error received, actor system is terminated; reason=Document contains at least one immense term in field="alert.matched_content.raw" (whose UTF8 encoding is longer than the max length 32766), all of which were skipped. Please correct the analyzer to not produce such terms. The prefix of the first immense term is: '[115, 113, 108, 108, 100, 114, 32, 80, 65, 82, 70, 73, 76, 69, 61, 36, 72, 79, 77, 69, 47, 46, 115, 113, 108, 108, 100, 114, 112, 119]...', original message: bytes can be at most 32766 in length; got 32896
[Time Stamp] [SPS.Appliance.Hostname] pam-pipeline[3970963]: 2021-07-29 07:05:34,461 startPipelineSystem-akka.actor.default-dispatcher-8 WARN Unable to register Log4j shutdown hook because JVM is shutting down. Using SimpleLogger
[Time Stamp] [SPS.Appliance.Hostname] systemd[1]: health-status.service: Succeeded.
[Time Stamp] [SPS.Appliance.Hostname] syslog-ng[184]: Syslog connection closed; fd='22', client='AF_INET(127.0.0.1:48044)', local='AF_INET(127.0.0.1:10514)'
[Time Stamp] [SPS.Appliance.Hostname] systemd[1]: pam-pipeline.service: Main process exited, code=exited, status=1/FAILURE
[Time Stamp] [SPS.Appliance.Hostname] systemd[1]: pam-pipeline.service: Failed with result 'exit-code'.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Conditions d’utilisation Confidentialité Cookie Preference Center