Article Content
Article Number | 000038232 |
Applies To | RSA Product Set: RSA NetWitness Platform RSA Product/Service Type: Security Analytics Server RSA Version/Condition: 11.2.x, 11.3.x, 11.4.x |
Issue | Global Auditing could be configured on RSA NetWitness Platform as per - NW Cfg: Configure Global Audit Logging However, when rabbitmq-server service is restarted on the Admin Server/Node Zero the Global Audit Logging stops and customers are unable to see the Audit logs in Investigation. You may see below Error and Warning messages related to Logstash Service on the Admin Server -
Customers with large environments may also see high utilization of disk space in /var/netwitness partition of the Admin Server and slowness in the Netwitness UI. ls.audit queue in Rabbitmq on the Admin Server will be growing in messages and will not be consuming.
|
Cause | Global Audit Logging is mainly facilitated by the Logstash service and the Rabbitmq service acts as the reliable Message Bus. However, when the Rabbitmq Service is restarted or crashed logstash service does not recover the connection to the relevant vhost (/rsa/system) and queue (ls.audit) in Rabbitmq. Therefore logstash service should also be manually restarted to reconnect to the RabbitMQ. |
Resolution | Currently this is a known issue and will be fixed in RSA Netwitness 11.5 Version. |
Workaround | The workaround would be to override the systemd configuration of logstash to get restarted upon RabbitMQ service restart. "PartOf" systemd option could be used to restart logstash service as a part of rabbitmq-server service restart. Add the option "PartOf=rabbitmq-server.service" under the [Unit] section in the logstash.service systemd file.
After that restart the rabbitmq-server service.
|
Notes | Log files to check are - /var/log/logstash/logstash.log /var/log/logstash/logstash-plain.log /var/netwitness/logstash/logs/rsa-netwitness-audit.log |