000038130 - ODBC event source logs not showing when device.ip query used

Document created by RSA Customer Support Employee on Dec 19, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038130
Applies ToRSA Product Set: NetWitness Platform
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.2.0.0
Platform: CentOS
O/S Version: 7
 
IssueWhen ODBC event source configured and test connection successful with How to test an ODBC connection from a Log Collector in RSA Security Analytics/NetWitness Platform, The logs show odbc events being published as below.

/var/log/messages:

Oct 25 09:33:53 LogDecoder NwLogCollector[271640]: [LogdecoderProcessor] [info] [queue.odbc] [processing] [Receiver WorkUnit] [processing] LogDecoderProcessorWorkUnit completed. Published 112 events in 4 messages (average 2394 bytes/message) from queue LogDecoder.logdecoder.odbc at location 127.0.0.1:5671. Processing was aborted: N0


However, Investigate->Navigate with device.ip=<EventSourceIP> query, shows no events.

TasksLogs must be coming to Investigate->Navigate page with multiple ip details in device.ip. But, not with original device.ip.
ResolutionFollow the below steps to get Original event source ip in device.ip meta key.
  1. Login to NetWitness GUI and go to LC->explore->logcollection->odbc->eventsources and click '+' to expand.
  2. Select Event Source and Change use_event_source_address value from false to true as below.
    Explore
     
  3. Login to Collector putty to restart collector service using the below command.
    systemctl restart nwlogcollector
     
  4. Verify Investigate->Navigate with device.ip=<EventSourceIP>. This must show events now.

Attachments

    Outcomes