Submit a ticketCall us

Don’t fall victim to a ransomware attack
Backups are helpful, but sometimes that’s not enough to protect your business against ransomware. At our live webcast we will discuss how to protect against ransomware attacks with SolarWinds® Patch Manager and how to leverage log data to detect ransomware. Register now for our live webcast.

Home > Success Center > Log & Event Manager (LEM) > Some agent nodes are duplicated and show as a non-agent node

Some agent nodes are duplicated and show as a non-agent node

Created by Jason Dee, last modified by Tim Rush on Jul 21, 2017

Views: 102 Votes: 5 Revisions: 8

Overview

In your LEM Console, you see agent nodes that appear to have duplicate non-agent nodes (signified by a Y-shaped grey icon in the Status tab).

Environment

  • All LEM versions
  • Windows or Linux hosts with more than one IP address or network interface

Cause 

Usually, instances of one or more agents showing up as a non-agent node (or as both an agent and non-agent node) is due to having multiple network interfaces and/or IP addresses on the same host.
Because of the way computers or network devices may send from multiple names/addresses, the LEM will register the node hostname or IP-address that sent the event, and we view these in the Node List.

Resolution

Warning:

  • Consult your System Administrator before performing the following procedure.
  • SolarWinds strongly recommends that you only edit the spop.conf file (or possibly the hosts file) as instructed. Any additional modifications may result in system performance issues or may create an error state.
  • Save a copy of the original spop.conf file (& hosts file) to your local drive as a backup file, in case you need to roll back later.
     

​Connect to the affected host and perform the following steps:

  1. Stop the SolarWinds Log and Event Manager Agent service.
     
  2. Go to C:\Windows\system32\ContegoSPOP (32-bit) or C:\Windows\SysWOW64\ContegoSPOP (64-bit) and locate spop.conf.
     
  3. Open spop.conf in a text editor (prefer notepad or notepad++, but wordpad will also work).
     
  4. Add ONE of the following attributes below on a new line.
              [Should one of the following not work, try a different one as outlined in step 7.]
    1. ​To force the agent to use the hostname (as shown by typing hostname in a command prompt):
           [This option is preferable for web servers or computers with unique functionality.]
      UseLocalEnvironmentVariableForLocalHost=true
           [With this option, add the agents IP & hostname as the first line in it's own "hosts" file.]
      (c:\windows\system32\drivers\etc\hosts)

       
    2. To force the LEM manager to use the hostname that the LEM detects for this host:
      UseManagerDetectionOfLocalHost=true
       
    3. To force the agent to use the hostname or IP address you specify (but only use one of the following, not both).
          [This option is preferable for laptops that may disconnect abruptly from a network,
           or switch back & forth between wireless and ethernet (hard-wired).]
      ForcedLocalAddress=server1 (use the hostname of the Windows computer itself)
      or
      ForcedLocalAddress=10.10.10.1 
      (use the primary IP address of the computer itself)
       
  5. Save and exit.
     
  6. Start the SolarWinds Log and Event Manager Agent service.
     
  7. After the agent reconnects, the duplicate node should be removed automatically.
    If it does not remove automatically, manually remove it from the list.
    If the duplicate node comes back, remove the attribute you tried, and try another one of the attributes above.
Last modified
08:29, 21 Jul 2017

Tags

Classifications

Public