Beruflich Dokumente
Kultur Dokumente
BlueTouch Online
Suppor t Hom e
Lic e ns ing
Doc um e nt a t ion
Password: *
L o g in
Blue c oa t .c om
Knowledge Base
Alerts
Cloud Announcements
FAQ
Product Information
Security Advisories
Solutions
Support Documents
Technical Alerts
Support (https://support.bluecoat.com) > Knowledge Base (https://kb.bluecoat.com/index?page=home) > Solutions (https://kb.bluecoat.com/index?page=content&channel=SOLUTIONS) > Solutions
Detail
Solutions
What are some tips for reading the Reporter journal files?
Back to all Solutions
Rate
Printer Friendly
(https://kb.bluecoat.com/index?
this
(https://kb.bluecoat.com/index?
(https://kb.bluecoat.com/index?
(https://kb.bluecoat.com/index?
page=content&channel=SOLUTIONS)
(#rate)
page=content&id=KB3460&pmv=print&impressions=false)
page=content&channel=SOLUTIONS)
page=content&id=KB3460&pmv=print&impressions=false)
Page
(#rate)
Solutions
ID:
KB3460
Version: 30.0
Status: Published
Published
date:
09/29/2009
Updated: 06/13/2014
Applies Linux 32 bit (https://kb.bluecoat.com/index?page=content&channel=SOLUTIONS&cat=LINUX_32_BIT) , Linux 64 bit (https://kb.bluecoat.com/index?
To:
page=content&channel=SOLUTIONS&cat=LINUX_64_BIT)
(https://kb.bluecoat.com/index?page=content&channel=SOLUTIONS&cat=WINDOWS_64_BIT)
, Reporter 9 (https://kb.bluecoat.com/index?page=content&channel=SOLUTIONS&cat=REPORTER_9)
Problem Description
I have the Blue Coat Reporter journal files open in a word processor; are there some tips for how or what I should see in
these?
What are some key word searches we could use to search through the journals of Reporter?
Resolution
The Reporter journal files are kept in a folder just off the root of the main Blue Coat folder, and are rotated through to the
next journal whenever they reach 5,121 KB.
In Linux, the default folder location is /op/bc/reporter/journal.
In Windows, the default folder location is c:/Program Files/Bluecoat Reporter 9/journals.
The following is a typical journal entry.
BCRJ:2009-09-23 14:37:21 (4aba6ae1) NOR.INFO.START
src/sg_main.cpp,625,HandleExternalStartupOptions
main_00001ae0(6880),,
Created the 'isready.txt' file to indicate an administrator exists
BCRJ - Blue Coat Reporter Journal.
2009-09-23 14:37:21 is the date and time down to the seconds.
NOR.INFO.START - NORstands for normal journal entry. Normal journal entries are not shown in the Reporter
https://kb.bluecoat.com/index?page=content&id=KB3460
1/16
9/1/2014
interface. Entries that begin with ALW, such as ALW.ERRO.LOGSO, are shown.
ALW.INFO.START - INFO indicates that this is an informational message. Other possible entries are ERRO
(error) and WARN (warning).
ALW.INFO.START - STARTstands for which part of the code is telling us something. In this case, the Startup part
of the source code is printing out this message. Other code part options are LOGSO (log sources), AUTHE
(authentication), WEBSE (webserver), and DATAB (database).
The journal messages should be grouped according to what time they were printed out and what portion of the code
they came from. For example, even though you see a DATAB message printed in the journal at the same time as (in the
row above or below) an AUTHE message, it does not mean that they are related. In fact, the chances of a database error
and a authentication message being related are very remote.
There are two ways you can search for comments:
Open up each journal file, one by one, and search.
Position yourself at the root folder - mentioned above - and search all of the files for the below mentioned
keywords.
Here's what you see in a report journal on a successful startup, with comments in bold that explain each step:
The Isready file is created at the root of the Reporter install.
This comment declares that the file was found when Reporter first started after a fresh install. It also is indicative that
only the default admin user is configured. The file remains there for the duration of the Reporter installation, and this
message is only shown in the first journal.
BCRJ:2009-09-23 14:37:21 (4aba6ae1) NOR.INFO.START
src/sg_main.cpp,625,HandleExternalStartupOptions
main_00001ae0(6880),,
Created the 'isready.txt' file to indicate an administrator exists
Declaring the License info: Standard /Premium/
BCRJ:2009-09-23 14:37:21 (4aba6ae1) ALW.WARN.UNDEF
src/sg_license.cpp,87,CheckAndFixupLicensing
main_00001ae0(6880),,
Generating standard license to allow maximum of 50000000 database requests across
all loaded databases
Version info: CPU/version/Operating System and build.
Blue Coat Reporter (32-bit), Release Version 9.1.3.1, Build 41492, Windows Server 2003 Enterprise Edition
TIMEZONE Information:
BCRJ:2009-09-23 14:37:21 (4aba6ae1) ALW.INFO.START
src/sg_main.cpp,1285,MainThread::Run
main_00001ae0(6880),,
The time zone is 'Eastern Daylight Time' (+05:00:00)
Information on where Reporter is installed follows:
Where Reporter keeps this customers unique configuration settings-A working configuration:
BCRJ:2009-09-23 14:37:21 (4aba6ae1) NOR.INFO.START
src/sg_main.cpp,1292,MainThread::Run
main_00001ae0(6880),,
settings-root=D:/Program Files/Blue Coat Reporter 9/settings/
Where Reporter is storing its default settings:
BCRJ:2009-09-23 14:37:21 (4aba6ae1) NOR.INFO.START
https://kb.bluecoat.com/index?page=content&id=KB3460
2/16
9/1/2014
https://kb.bluecoat.com/index?page=content&id=KB3460
3/16
9/1/2014
https://kb.bluecoat.com/index?page=content&id=KB3460
4/16
9/1/2014
A Blue Coat Reporter client has been configured to send to Reporter and is now being upgraded from 'unassigned'
to 'assigned'
In other words, it is now linked to a database.
Suggested Search string:
Upgraded
<hash string>
BCRJ:2009-09-23 16:05:52 (4aba7fa0) NOR.INFO.DBMGR
src/sg_profile.cpp,2894,DatabaseManager::UpdateUnassignedLogSource
worker_thread_000008f8(2296),,
Upgraded unassigned log source 'stream:assigned_1b527284124658a438211441291d7a40'
Note: Databases have a hashed name, you can search for in the journals, to find events for them. To find the hash, you
can navigate down to <installed Drive>program Filessettingsdatabase and open up each cfg file, looking for their name,
in English, and then their hash name. The hash name often looks like this:
database_8b4e6220a87a11de8804f0004c9ba7ce. To search for activity on them them, such as loading or unloading,
use this name.
https://kb.bluecoat.com/index?page=content&id=KB3460
5/16
9/1/2014
An entry indicating a crash has occured and Reporter is attempting to shut down:
NOTE: A good indicator that the journal file does not not contain a crash is if it had to roll over and start another journal
file. Its size, in this case, would be 5,121 KB.
Suggested search string:
SHUTTING DOWN
A entry indicating the administration has manualy shut down the Reporter services or daemon:
NOTE: This would typicaly be done by a control C event on the LINUX terminal, or clicking on the service in the "Manager
Services" list, and shutting it down in Windows. This is a normal event, not a crash.
Suggested search string:
SHUTTING DOWN
NORMALLY
CONSOLE
BCRJ:2009-09-23 14:51:22 (4aba6e2a) ALW.INFO.SHUTD
src/sg_main.cpp,1480,MainThread::Run
main_00001f30(7984),,
==> REPORTER IS SHUTTING DOWN NORMALLY BECAUSE OF A CONSOLE
'CTRL_SHUTDOWN_EVENT'REPORTER IS SHUTTING DOWN NORMALLY BECAUSE OF A CONSOLE
'CTRL_SHUTDOWN_EVENT'
Log source Messages
Suggested Search strings:
Loaded log source
unloaded log source.
FTP
UNIX
1: Loading and unloading:
BCRJ:2009-09-25 02:26:49 (4abc62a9) NOR.INFO.LOGSO
src/sg_logreader.cpp,179,LogReader::Load
worker_thread_0000196c(6508),,
Loaded log source 'BlueCoatdb:stream:assigned_1b527284124658a438211441291d7a40
BCRJ:2009-09-24 18:01:16 (4abbec2c) NOR.INFO.LOGSO
src/sg_profile.cpp,4315,DatabaseManager::PhasedLogSource
worker_thread_00001970(6512),,
Unloaded log source 'BlueCoatdb:stream'
2: FTP-related:
BCRJ:2010-03-20 01:16:32 (4ba48460) NOR.INFO.LOGSO
src/sg_logreader.cpp,5638,FTPCloseLogFile
worker_thread_00000764(1892),,
Failed to post process FTP log source file
https://kb.bluecoat.com/index?page=content&id=KB3460
6/16
9/1/2014
'bluecoat_reporter_db:useclifwp120:./SG_main_XX231_0319.log.gz'
BCRJ:2010-03-20 01:16:32 (4ba48460) NOR.INFO.LOGSO
src/sg_logreader.cpp,963,LogReader::WriteCheckpointFile
worker_thread_00000764(1892),,
Checkpoint while processing log source file
'bluecoat_reporter_db:useclifwp120:./SG_main_XX231_0319.log.gz'
NOTE: For more information on why the above FTP log source unloaded, see KB3753 (https://kb.bluecoat.com/index?page=content&id=KB3753) .
Blue Coat Access log rename error.
Suggested Search strings:
RENAME
errno 32
failed
BCRJ:2009-10-05 12:15:25 (4aca1b9d) ALW.ERRO.LOGSO
src/sg_logreader.cpp,3708,HFPCloseLogFile
worker_thread_00001040(4160),,
RENAME log source file
'Q3_September_2009:sept:D:/BC_Logs/Sept/PRXY03_main__2250903145136.log.gz' to
'D:/BC_Logs/Sept/PRXY03_main__2250903145136.log.gz.done' failed with errno 32
NOTE: An attempt to rename the log source failed, because the file was still open or in use by a external
application.
Blue Coat Access log move error:
MOVE
failed with
errno 18
BCRJ:2009-12-10 14:28:21 (4b214bd5) ALW.ERRO.LOGSO
src/sg_logreader.cpp,3882,
worker_thread_b1b27ba0(2981264288),,
MOVE log source file 'BOSdb:a1web1 log
files:/var/bcr/SG01RawLogs/SG_blue_coat_reporter_9__191208012554.log.gz' to
'/services/reporter/ProcessedLogs/SGweb1/SG_blue_coat_reporter_9__191208012554.log.gz'
failed with errno 18 BCRJ:2009-12-10 14:28:21 (4b214bd5) NOR.INFO.LOGSO
src/sg_logreader.cpp,963,
worker_thread_b1b27ba0(2981264288),,
Checkpoint while processing log source file 'BOSdb:a1web1 log
files:/var/bcr/SG01RawLogs/SG_blue_coat_reporter_9__191208012554.log.gz'
NOTE: Reporter 8x and 9.1 might use the MOVE post-processing action only within the same file system. Moves between
different file system moves are not supported. On both LINUX and Windows, the rename and the move commands are
so similiar that the same API is called.
https://kb.bluecoat.com/index?page=content&id=KB3460
7/16
9/1/2014
NOTE: This journal message is actually showing that the ProxySG appliance requested the connection to close. If you
look around a little more, the journal file provides a different message for a new SGP connection.
Reporter crashed.
(Look in the journal prior to this one, to find out what it was doing before it crashed.)
Suggested Search strings:
The previous instance of Reporter
shutdown
BCRJ:2009-03-26 16:39:35 (49cbf617) ALW.ERRO.START
src/sg_main.cpp,939,CreateServerRunningFile
main_00001280(4736),,
The previous instance of Reporter (started at '2009-03-25 12:29:44') did not
shutdown
Reporter is loaded and ready:
Suggested search strings.
8081
port
Web server initilized
BCRJ:2009-03-25 12:29:44 (49ca6a08) ALW.INFO.START
src/sg_task.cpp,1720,MasterThread::Run_Init
master_thread_000016b4(5812),,
Web server initialized CLR port 0.0.0.0:8081
You can now attach to the Reporter webserver on port 8082
Suggested Search strings:
8082
port
Web server initilized
( Reporter is most probably using HTTPS)
BCRJ:2009-04-22 17:01:20 (49ef93b0) ALW.INFO.START
src/sg_task.cpp,1797,MasterThread::Run_Init
master_thread_000010c8(4296),,
Web server initialized SSL port 0.0.0.0:8082
Reporter will not load because it can't bind its Webserver to a port., or it can't find the cfg file to load it.
Suggested search strings.
port
8081
bind failure
BCRJ:2010-01-19 09:42:14 (4b54f1d6) ALW.ERRO.START
src/sg_task.cpp,1795,MasterThread::Run_Init
master_thread_00000128(296),,
Web server CLR socket bind failure 10013 for port 0.0.0.0:8081
BCRJ:2010-11-24 10:42:05 (4ced4e6d) ALW.ERRO.START
src/sg_task.cpp,1490,MasterThread::Run_Init
master_thread_000013ec(5100),,
https://kb.bluecoat.com/index?page=content&id=KB3460
8/16
9/1/2014
Suggested remediation: In the command line, run a nestat- a command to find out which application is using
this port, then stop that application. Or edit the Reporte preferences.cfg file and change it to use another port. See
KB3748 (https://kb.bluecoat.com/index?page=content&id=KB3748) for more details on how to troubleshoot this issue.
The Blue Coat Reporter client is open on the Reporter server, ready to receive connections from the SG.
Suggested Search strings:
9081
initialized port
BCRJ:2009-03-26 16:39:35 (49cbf617) ALW.INFO.START
src/sg_task.cpp,1928,MasterThread::OpenSGPPort
master_thread_00001ea0(7840),,
SGP server initialized port 0.0.0.0:9081
properly.
DATABASE MESSAGES
Loaded Database
Suggested Search strings:
Loading
Loaded
database
BCRJ:2009-03-25 12:35:47 (49ca6b73) NOR.INFO.DBMGR
src/sg_profile.cpp,1345,DatabaseManager::PhasedDatabaseHandler
worker_thread_000002f0(752),,
Loading database 'JOE'
https://kb.bluecoat.com/index?page=content&id=KB3460
9/16
9/1/2014
Deleted database
Suggested search strings:
Deleting database
Deleted database
BCRJ:2009-11-26 12:59:45 (4b0e7bc1) NOR.INFO.DBMGR
src/sg_profile.cpp,1667,DatabaseManager::PhasedDatabaseHandler
worker_thread_00009a5c(39516),,
Deleting database
'database_01696500993e11deab9cf0004c821fa6:database_01696500993e11deab9cf0004c821fa6'
https://kb.bluecoat.com/index?page=content&id=KB3460
10/16
9/1/2014
https://kb.bluecoat.com/index?page=content&id=KB3460
11/16
9/1/2014
Logs/Home_Office/SG_BCRLOG__230422225005.log.gz
https://kb.bluecoat.com/index?page=content&id=KB3460
12/16
9/1/2014
https://kb.bluecoat.com/index?page=content&id=KB3460
13/16
9/1/2014
https://kb.bluecoat.com/index?page=content&id=KB3460
14/16
9/1/2014
E-mail messages:
Suggested search strings:
Email
Send
BCRJ:2009-11-20 15:41:00 (4b06480c) DEB.WARN.EMAIL
src/sg_.cpp,547,Email::Send
email_00000ac8(2760),,
Email: AUTH PLAIN response 235 failed (0, 535) BCRJ:2009-11-20 15:41:00 (4b06480c)
DEB.ERRO.EMAIL
src/sg_.cpp,600,Email::Send
email_00000ac8(2760),,
Email: base64 password response 235 failed (0, 535) BCRJ:2009-11-20 15:41:00
(4b06480c) ALW.ERRO.EMAIL
src/sg_.cpp,108,ReadStringFromFile_Int
email_00000ac8(2760),,
Notes on the above error.
Reporter attempted to send an e-mail, but was turned down because of a bad password by the SMTP gateway. The
above message indicates a 235 code was expected, which would have meant success, but instead a 535 was received
(see inside the brackets), which means a bad password. Despite receiving a b ad password response, Reporter
attempts to log into the gateway without a password to see if it will send that way.
The following message is only informational and indicates the type of contacted FTP host.
BCRJ:2010-11-29 06:51:53 (4cf33f79) NOR.INFO.LOGSO
src/sg_logreader.cpp,4649,
FTPGetLogListworker_thread_00000bac(2988),,
Unix FTP host determined from reply '215 unix type: l8' for FTP log source 'IDC2:idcproxy02.01'
Messages you may see after upgrading to version 9.3.x of Reporter:
The service does not start and you see this message in the journal.
Error message seen in sales demo server journal log:
#####################################################################
https://kb.bluecoat.com/index?page=content&id=KB3460
15/16
9/1/2014
Yes
No
https://kb.bluecoat.com/index?page=content&id=KB3460
16/16