Netskope Help

OPLP Alerts and Event Descriptions

This document provides a complete list of OPLP alerts, their description, the required user action, and the SNMP trap notifications that the appliance generates when SNMP traps are enabled.

Alerts with a priority "None" are recovery alerts. "Medium" priority alerts are warnings and "High" priority alerts are critical.

Alert

Priority

Description

User Action

SNMP Trap Notification

Device_rebooted

None

Device was rebooted

Check the status of services by running,

show service-status

deviceRebootedNotif

High

Device rebooted

Storage-root-partition

None

Disk usage of the root partition is below 75%.

Check the available disk size of the root partition.

From the Linux shell, run the command:

df -h

storageRootNotif

Medium

Disk usage of the root partition is at 75% or more.

High

Disk usage of the root partition is at 90% or more.

Storage-securestore-partition

None

Secure Store disk usage is below 75%.

Check the available disk size of the Secure Store disk using the “df” command.

To increase the size of the partition contact support.

Medium

Secure Store disk usage is is at 75% or more.

High

Secure Store disk usage is is at 90% or more.

Storage-lcmysql- partition

None

Disk usage of lcmysql is below 75%.

Check the available disk size of the lcmysql partition using the “df” command.

To increase the size of the partition contact support.

storageMysqlNotif

Medium

Disk usage of lcmysql is at 75% or more.

High

Disk usage of lcmysql is at 90% or more.

Storage-lcmongo- infrastructure- partition

None

Disk usage of lcmongo-infrastructure is below 75%.

Check the available disk size of the lcmongo-infrastructure partition using the “df” command.

To increase the size of the partition contact support.

storageMongoInfraNotif

Medium

Disk usage of lcmongo-infrastructure is at 75% or more.

High

Disk usage of lcmongo-infrastructure is is at 90% or more.

Storage-lclw-partition

None

Disk usage of lclw is below 75%.

Check the available disk size of the lclw partition using the “df” command.

If required, increase the disk partition using the command,

troubleshooting expand-partition log

storageLogNotif

Medium

Disk usage of lclw is at 75% or more.

High

Disk usage of lclw is at 90% or more.

Storage-lckafkabroker- partition

None

Disk usage of lckafkabroker is below 75%.

Check the available disk size of the lckafkabroker partition using the “df” command.

To increase the size of the partition contact support.

storageKafkaBrokerNotif

Medium

Disk usage of lckafkabroker is at 75% or more.

High

Disk usage of lckafkabroker is at 90% or more.

Storage-lcmongo-event- partition

None

Disk usage of lcmongo-event is below 75%.

Check the available disk size of the lcmongo-event partition using the “df” command.

To increase the size of the partition contact support.

storageMongoEventNotif

Medium

Disk usage of lcmongo-event is at 75% or more.

High

Disk usage of lcmongo-event is at 90% or more.

Reportjob_worker_status

None

Reportjob worker is running.

Contact support and provide them the debug package.

Run:

troubleshooting debug-package generate

reportjobWorkerNotif

High

Reportjob worker is not running.

Reportjob_scheduler_ status

None

Reportjob scheduler is running.

Contact support and provide them the debug package.

Run:

troubleshooting debug-package generate

reportjobSchedulerNotif

High

Reportjob scheduler is not running.

Cfgagent_connection

None

Cfgagent connection to config service has been restored.

If cfgagent is not connected to config services, then check your firewall to ensure that OPLP can access the tenant domains.

For a complete list of supported tenant domains, see Outbound Ports.

cfgagentConnectionNotif

MySql_status

None

MySql db is running.

Contact support and provide them the debug package.

Run:

troubleshooting debug-package generate

mysqlNotif

High

MySql db is not running.

Event_flow_from_device

None

Event flow from device has been restored.

Indicates if the number of events coming in from a device for a particular week is half the number of events received during the previous week.

Check your firewall to ensure that OPLP can access the tenant domains.

For a complete list of supported tenant domains, see Outbound Ports.

eventflowNotif

High

Event flow from the device is affected.

Files_not_uploaded_24_ hrs

None

Files uploaded successfully.

Run the following command to see the list of unprocessed files:

log-upload tools list

If the list is zero, check your firewall to ensure that OPLP can access the tenant domains.

For a complete list of supported tenant domains, see Outbound Ports.

Contact support to resolve this issue.

filesNotUploaded24hNotif

High

Atleast 5 files were not uploaded within 24 hours.

Files_not_uploaded_48_ hrs

None

Files uploaded successfully.

Run the following command to see the list of unprocessed files:

log-upload tools list

If the list is zero, check your firewall to ensure that OPLP can access the tenant domains.

For a complete list of supported tenant domains, see Outbound Ports.

Contact support to resolve this issue.

filesNotUploaded48hNotif

High

Atleast 1 file was not uploaded within 48 hours.

Files_not_picked_up_24_ hrs

None

Files picked up for processing successfully.

Run the following command to see the list of unprocessed files:

log-upload tools list

If the list is zero, check your firewall to ensure that OPLP can access the tenant domains.

For a complete list of supported tenant domains, see Outbound Ports.

Contact support to resolve this issue.

filesNotPicked24hNotif

High

Atleast 5 files were not picked up for processing within 24 hours.

Files_not_picked_up_48_ hrs

None

Files picked up for processing successfully.

Run the following command to see the list of unprocessed files:

log-upload tools list

If the list is zero, check your firewall to ensure that OPLP can access the tenant domains.

For a complete list of supported tenant domains, see Outbound Ports.

Contact support to resolve this issue.

filesNotPicked48hNotif

High

Atleast 1 file was not picked up for processing within 48 hours.

Queryservice_status

None

Queryservice is running.

Run the command,

restart queryservice to restart the service.

queryServiceStatusNotif

High

Queryservice is not running.

Eventservice_status

None

Eventservice is running.

Run the command,

restart eventservice to restart the service.

eventServiceStatusNotif

High

Eventservice is not running.

Mongos_status

None

Mongos is running.

Contact support and provide them the debug package.

Run:

troubleshooting debug-package generate

mongoSStatusNotif

High

Mongos is not running.

Mongodb_status

None

Mongodb is running.

Contact support and provide them the debug package.

Run:

troubleshooting debug-package generate

mongoDBStatusNotif

High

Mongodb is not running.

Threat_feed_age

None

The threat feed data on the device is up-to-date.

threatfeedAgeNotif

Auth_proxy_status

None

Auth Proxy services have recovered.

Contact support to resolve this issue.

authProxyStatusNotif

High

Auth Proxy services are down. Users may not be able to login to Microsoft Office 365.

No_events_from_device

None

Events from device were successfully sent

Run the following command to see the list of unprocessed files:

log-upload tools list

If the list is zero, check your firewall to ensure that OPLP can access the tenant domains.

For a complete list of supported tenant domains, see.

Contact support to resolve this issue.

noEventsFromDeviceNotif

High

Events from device not received in the last 24 hours

No_metrics_from_device

None

Metrics from device were successfully sent.

Run the following command to see the list of unprocessed files:

log-upload tools list

If the list is zero, check your firewall to ensure that OPLP can access the tenant domains.

For a complete list of supported tenant domains, see Outbound Ports.

Contact support to resolve this issue.

noMetricsFromDeviceNotif

Medium

Metrics from device were not received in the last 3 hours.

High

Metrics from device were not received in the last 6 hours.

Storage-1a

None

Disk usage of /nslogs is below 50%.

Check the available disk size of the /nslogs partition using the status all command.

To increase the size of the partition contact support.

Medium

Disk usage of /nslogs is at 50% or more.

High

Disk usage of /nslogs is at 75% or more.

Log_Process-4

None

Files were picked up

Run the following command to see the list of unprocessed files:

log-upload tools list

If the list is zero, check your firewall to ensure that OPLP can access the tenant domains.

For a complete list of supported tenant domains, see.

Contact support to resolve this issue.

Medium

Files were not being picked within 10 hours.

High

Files were not being picked within 15 hours.

Log_Process-5a

None

Files moved and split successfully.

Run the following command to see the list of unprocessed files:

log-upload tools list

If the list is zero, check your firewall to ensure that OPLP can access the tenant domains.

For a complete list of supported tenant domains, see Outbound Ports.

Contact support to resolve this issue.

Medium

Files moved but not split within 24 hours.

High

Files moved but not split within 72 hours.

Log_Process-5b

None

Files moved & split and parsed successfully.

Run the following command to see the list of unprocessed files:

log-upload tools list

If the list is zero, check your firewall to ensure that OPLP can access the tenant domains.

For a complete list of supported tenant domains, see Outbound Ports.

Contact support to resolve this issue.

Medium

Files moved & split, parsing not finished in 24 hours.

High

Files moved & split, parsing not finished in 72 hours.

Log_Process-5c

None

File parsing finished; events uploaded successfully.

Run the following command to see the list of unprocessed files:

log-upload tools list

If the list is zero, check your firewall to ensure that OPLP can access the tenant domains.

For a complete list of supported tenant domains, see Outbound Ports.

Contact support to resolve this issue.

Medium

File parsing finished; events haven't been uploaded within 24 hours of parsing.

High

File parsing finished; events haven't been uploaded within 72 hours of parsing done.

Callhome_status

None

Callhome endpoint is reachable.

The domain always needs to be allowlisted and accessible to the appliance.

callhomeConnectivityNotif

High

Callhome endpoint cannot be reached.

Downloader_status

None

Downloader endpoint is reachable.

The domain always needs to be allowlisted and accessible to the appliance.

downloaderConnectivityNotif

High

Downloader endpoint cannot be reached.

Config_service_status

None

Config service endpoint is reachable.

The domain always needs to be allowlisted and accessible to the appliance.

configsvcConnectivityNotif

High

Config service endpoint cannot be reached.

UI_hostname_status

None

HTTP endpoint is reachable.

The domain always needs to be allowlisted and accessible to the appliance.

uihostnameConnectivityNotif

High

HTTP endpoint cannot be reached.

UI_hostname_ssh_status

None

SSH endpoint is reachable.

The domain always needs to be allowlisted and accessible to the appliance.

uihostnamesshConnectivityNotif

High

SSH endpoint cannot be reached.

Logupload_status

None

Logupload endpoint is reachable.

The domain always needs to be allowlisted and accessible to the appliance.

loguploadConnectivityNotif

High

Logupload endpoint cannot be reached.

Outbound Ports

Use these ports for management connectivity and log uploads.

Note

In release 46 domain names changed. Using version 46 and later requires using the new domain names. Existing deployments (release 45 and prior) do not require the new domain names, but using them are recommended. The one required update is for auto-updates; either turn off auto-update or use the new download-<tenant hostname>.goskope.com domain name. New deployments with release 46 and higher do need to use the new domain names.

For management connectivity:

Domain

Description

Port

New:config-<tenant hostname>.goskope.com

Old: config.goskope.com

Use for configuration updates. The domain needs to be SSL allowlisted if you have SSL decryption enabled.

443

New: download-<tenant hostname>.goskope.com

Old: download.goskope.com

Use for software upgrades.

443

New: messenger-<tenant hostname>.goskope.com

Old: messenger.goskope.com

Use for reporting and status updates in the UI. The domain needs to be SSL allowlisted if you have SSL decryption enabled.

443

New: callhome-<tenant hostname>.goskope.com

Old: callhome.goskope.com

Use for receiving metrics from on-premises appliances and forwarding them to cloud tenants, as well as receiving event data from an on-premises dataplane appliances. Also for receiving custom user attributes from user endpoints. The domain needs to be SSL allowlisted if you have SSL decryption enabled.

443

Note

For international deployments, use ~ -<tenant hostname>.eu.goskope.com or ~ -<tenant hostname>.de.goskope.com.

For log uploads:

Domain

Description

Port

New: upload-<tenant hostname>.goskope.com

Old: upload.goskope.com

Use for sending logs to the Netskope cloud with SFTP. This is the default port for log uploads.

22

No change: logupload-<tenant hostname>.goskope.com

Use for sending logs to the Netskope cloud with HTTPS. This port is enabled by default.

443

No change: <tenant hostname>.goskope.com

Use for fetching the REST API token with HTTPS.

443

Note

For international deployments, use ~ -<tenant hostname>.eu.goskope.com or ~ -<tenant hostname>.de.goskope.com.