locked
Microsoft Advanced Threat Analytics Center service not starting RRS feed

  • Question

  • Hello, 

    after 3 re'installation,  I am not able to start Microsoft Advanced Threat Analytics Center service., i have the following error from my log file :

    System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 127.0.0.1:27017

    The MongoDB service est running, but the ATA center service does not work, i have uninstalled completely the ATA center and reinstalled all gateways, but a few minutes later, i have the same issue and from the web console, the configuration regarding ATA center disppears ... 

    i have the last version 1.8 update 1

    do you have any idea ? 

    thank you in advance

    Friday, February 2, 2018 4:11 PM

All replies

  • Can you run this command from the mongo bin folder?

    mongo.exe ATA --eval "var collectionNames = db.getCollectionNames(), indexes = [];collectionNames.forEach(function (name) {printjson(name);printjson(db[name].getIndexes());print('-------------------------------------');});" > indexes.txt
    
    

    and paste the output here?

    is the machine spec up to the Sizing tool recommendation?

    Friday, February 2, 2018 8:04 PM
  • Hello, 

    i will run this command and i will come back to you.

    regarding the spec i have :

    2 vCPU , 48 GB memory and 300 GB for the storage MongoDB

    What's happen ? 

    Thank you in advance

    Saturday, February 3, 2018 10:42 AM
  • Was this configuration recommended by the sizing tool?

    Can you attach the tool excel file (fell free to scramble sensitive info before you post it )

    I am asking, because you might have hit a mongo bug (I will be able to confirm when you paste the output I requested). This bug has higher chance of being hit if the system is low on resources.

    Eli

    Saturday, February 3, 2018 11:11 PM
  • Hi Eli,

    I've got the same problem, i recently reinstalled this, was working for 2 days and now its failing again.

    I've ran the command  and output can be found below.

    MongoDB shell version v3.4.2
    connecting to: mongodb://127.0.0.1:27017/ATA
    MongoDB server version: 3.4.2
    "DirectoryServicesActivity"
    [
    {
    "v" : 2,
    "key" : {
    "_id" : 1
    },
    "name" : "_id_",
    "ns" : "ATA.DirectoryServicesActivity"
    }
    ]
    -------------------------------------
    "Dns_20180213002156"
    [
    {
    "v" : 2,
    "key" : {
    "_id" : 1
    },
    "name" : "_id_",
    "ns" : "ATA.Dns_20180213002156"
    }
    ]
    -------------------------------------
    "GroupMembershipChangeEvent_20180212104900"
    [
    {
    "v" : 2,
    "key" : {
    "_id" : 1
    },
    "name" : "_id_",
    "ns" : "ATA.GroupMembershipChangeEvent_20180212104900"
    }
    ]
    -------------------------------------
    "KerberosAp_20180212131040"
    [
    {
    "v" : 2,
    "key" : {
    "_id" : 1
    },
    "name" : "_id_",
    "ns" : "ATA.KerberosAp_20180212131040"
    }
    ]
    -------------------------------------
    "KerberosAs_20180212093854"
    [
    {
    "v" : 2,
    "key" : {
    "_id" : 1
    },
    "name" : "_id_",
    "ns" : "ATA.KerberosAs_20180212093854"
    }
    ]
    -------------------------------------
    "KerberosTgs_20180212093936"
    [
    {
    "v" : 2,
    "key" : {
    "_id" : 1
    },
    "name" : "_id_",
    "ns" : "ATA.KerberosTgs_20180212093936"
    }
    ]
    -------------------------------------
    "LsaRpc_20180214082901"
    [
    {
    "v" : 2,
    "key" : {
    "_id" : 1
    },
    "name" : "_id_",
    "ns" : "ATA.LsaRpc_20180214082901"
    }
    ]
    -------------------------------------
    "Notification"
    [
    {
    "v" : 2,
    "key" : {
    "_id" : 1
    },
    "name" : "_id_",
    "ns" : "ATA.Notification"
    }
    ]
    -------------------------------------
    "NtlmEvent_20180212093939"
    [
    {
    "v" : 2,
    "key" : {
    "_id" : 1
    },
    "name" : "_id_",
    "ns" : "ATA.NtlmEvent_20180212093939"
    }
    ]
    -------------------------------------
    "Ntlm_20180212094323"
    [
    {
    "v" : 2,
    "key" : {
    "_id" : 1
    },
    "name" : "_id_",
    "ns" : "ATA.Ntlm_20180212094323"
    }
    ]
    -------------------------------------
    "Samr_20180212120707"
    [
    {
    "v" : 2,
    "key" : {
    "_id" : 1
    },
    "name" : "_id_",
    "ns" : "ATA.Samr_20180212120707"
    }
    ]
    -------------------------------------
    "ServiceControl_20180213001243"
    [
    {
    "v" : 2,
    "key" : {
    "_id" : 1
    },
    "name" : "_id_",
    "ns" : "ATA.ServiceControl_20180213001243"
    }
    ]
    -------------------------------------
    "SystemProfile"
    [
    {
    "v" : 2,
    "key" : {
    "_id" : 1
    },
    "name" : "_id_",
    "ns" : "ATA.SystemProfile"
    }
    ]
    -------------------------------------
    "UniqueEntity"
    [
    {
    "v" : 2,
    "key" : {
    "_id" : 1
    },
    "name" : "_id_",
    "ns" : "ATA.UniqueEntity"
    }
    ]
    -------------------------------------
    "UniqueEntityProfile"
    [
    {
    "v" : 2,
    "key" : {
    "_id" : 1
    },
    "name" : "_id_",
    "ns" : "ATA.UniqueEntityProfile"
    }
    ]
    -------------------------------------
    "UserPhoto"
    [
    {
    "v" : 2,
    "key" : {
    "_id" : 1
    },
    "name" : "_id_",
    "ns" : "ATA.UserPhoto"
    }
    ]
    -------------------------------------
    "Wmi_20180213001201"
    [
    {
    "v" : 2,
    "key" : {
    "_id" : 1
    },
    "name" : "_id_",
    "ns" : "ATA.Wmi_20180213001201"
    }
    ]
    -------------------------------------

    Thursday, February 15, 2018 9:11 AM
  • This confirms you are hitting the same issue (mongo DB wipe)

    You need to reinstall and make sure your Center is well sized.

    This is fixed in the mongo version embedded into ATA 1.9.

    • Proposed as answer by Mark IT Tech Thursday, February 15, 2018 10:01 AM
    Thursday, February 15, 2018 9:15 AM
  • Okay, Thankyou. 

    When is 1.9 released.

    Thursday, February 15, 2018 9:47 AM
  • Don't have the exact date yet, but "Very Soon" :-)
    Thursday, February 15, 2018 10:03 AM
  • Hi, I have this same issue on my ATA Center and have generated this output as wel but I wonder how have you concluded the mongo DB wipe? Which part of the export indicates that?

    Thanks

    Darek

    Wednesday, February 28, 2018 8:52 AM
  • The script lists all the indexes in the collections.

    you will notice that in the above output, there are only default indexes on id while for most "healthy"collections there should be additional indexes on custom fields.

    What happens is that the DB gets wiped while the service is running, and mongo SDK when tries to insert a new document automatically creates a collection is it's missing (only without our custom indexes).

    So it's a good indication that the DB was wiped.

    mongo claims to have fixed that in a newer version, which we embedded into ATA 1.9 which is soon to be released.

    Wednesday, February 28, 2018 9:09 AM