ESM: Duplicate Log Messages

Document created by RSA Information Design and Development Employee on Apr 1, 2016Last modified by RSA Information Design and Development Employee on Sep 19, 2016
Version 3Show Document
  • View in full screen mode

It is possible that you are collecting messages from the same event source on two or more Log Collectors. This topic describes the problem and ways to troubleshoot the issue.


If the ESM aggregator detects the same events for the same event source on multiple Log Collectors, you receive a warning similar to the following:

2015-03-17 15:25:29,221 [pool-1-thread-6] WARN - had a previous event only 0 seconds ago; likely because it exists on multiple log collectors

This warning message means the event source is being collected by multiple hosts. You can see the list of hosts in the Log Collector column in the Manage tab in the Administration > Event Sources view.

Clean Up Duplicate Messages

  1. Stop collectd on Security Analytics and Log Decoders:

    Service collectd stop

  2. Remove the ESM Aggregator persisted file on Security Analytics:

    rm /var/lib/netwitness/collectd/ESMAggregator

  3. Reset the Log Decoder.
    1. Navigate to the Log Decoder REST, at http://<LD_IP_Address>:50102.
    2. Click decoder(*) to view the properties for the decoder.
    3. In the Properties drop-down menu, select reset, then click Send.
  4. In the Event Sources panel from the Event Sources Manage tab, select all event sources and then click - to remove them.
You are here: Troubleshooting > Duplicate Log Messages