Note:
1. A real analyzer corresponds to a manually configured analyzer (i.e. an event collector has been added to an agent)
2. A virtual analyzer is created from logs (option Log syslog analyzer in the confset). For example: Checkpoint modules or a server which send(s) its logs to a loghost).
3. A heartbeat is a message regularly sent by an agent and its real analyzers to the SMP server; it allows detecting dysfunctions or disconnections.
4. When a real analyzer has not been sending a heartbeat message for 2 minutes, it automatically switches into the No heartbeat mode and a red cross is displayed in the Alert Monitoring window (tab on the left).

Example:

You want to monitor Checkpoint SmartCenter and its components (VPN, Antivirus). The SmartCenter is a real analyzer and its components are virtual analyzers. If you delete only the SmartCenter (for debug or demo or others) then the modules will be displayed as disconnected.

If you install the SmartCenter again, the modules will send their logs, however the modules will always be displayed with a red X from now on because the first SmartCenter analyzer which created them has now been deleted.

This behavior is a known issue.

The heartbeat notion does not exist for virtual analyzer; it does not allow monitoring the equipment unit which sends the logs. A virtual analyzer is deduced from logs; so it does not send any heartbeat.

Below is a work-around which allows you to deactivate the heartbeats of all virtual analyzers that had their real analyzer deleted. This procedure has no impact, neither on agents nor on real non-deleted analyzers.

2. Launch the following script:

/usr/local/exaprotect/esms-setup/scripts/others/sql.sh

3. At the prompt mysql>, type the command:

mysql> use eas_

mysql> update Exa_Event_Collector set max_hb_delay=-1 where state='D';

/etc/init.d/exa_runtime_ start