Unix servers report "not reported" for action, even though they are checking in

I’m having an issue with Unix servers accepting actions. I deploy the action and I see the unix machines reporting in, but the action never moves from “not reported”.

Once I restart the BESClient it accepts the action, but I have to restart the service each time I want to deploy to them.

thoughts on how to fix this.

How long have you waited?

It sounds like your Unix servers are not receiving UDP notifications from their relay that new content is available. UDP notifications are the normal flow that triggers the client to evaluate new content (such as actions, new fixlets, analyses, etc.). Without a notification, the client continues sending reports, but only related to the content that it has previously gathered. It will continue to be “not reported” for the new action, because the action has not been gathered and evaluated.

The best answer is to enable the UDP notifications, which are possibly being blocked by a network firewall or host-based firewall on the Unix system. This would be UDP traffic from the relay to the client on the BigFix port, 52311 by default.

If UDP is being blocked, there are several other ways to trigger the gather. By default the client performs a gather once per day. If the client is configured for Automatic Relay Selection, it also performs a gather when the relay selection process runs (every 6 hours, by default). To check more frequently, you can enable Command Polling at the client and set a frequency to poll (which adds workload to the client and relay, so it may require some tuning based on your deployment size but should generally not be more frequent than hourly).

Starting in version 9.5.11, you can also enable Persistent Connections. If you are on at least that version, Persistent Connections can be very effective in solving the issue.

@jgstew has a presentation of tuning settings we recommend for most environments, which covers a lot of these areas. It is still much preferred that you stop blocking the UDP notifications, but also enable Persistent Connections and also enable Command Polling as fallback measures.