000038483 - How to fix duplicated logs from ODBC collection in RSA NetWitness Platform

Document created by RSA Customer Support Employee on Feb 20, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038483
Applies ToRSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.x
 
IssueRSA NetWitness ODBC collector collects duplicated events from ODBC event source.
ResolutionDuplicated events are collected if the tracking id in the runtime file is not updated correctly, because the query to fetch data from the ODBC event source database is in descending order.

To fix this issue, go to /etc/netwitness/ng/logcollection/content/collection/odbc and open the typespec file(.xml)
Change the dataQuery parameter from descending order to ascending order.

For Example:
From descending order

<dataQuery>
    SELECT acceptedrejected, servername, serveripa, sdate, millisecond, suid, groupname, ipa, reason,
info1, info2, threadid FROM A_AHLOG WHERE sdate > '%TRACKING%' ORDER BY sdate DESC
</dataQuery>

To ascending order


<dataQuery>
    SELECT acceptedrejected, servername, serveripa, sdate, millisecond, suid, groupname, ipa, reason,
info1, info2, threadid FROM A_AHLOG WHERE sdate > '%TRACKING%' ORDER BY sdate ASC
</dataQuery>


 

Attachments

    Outcomes