000026818 - How to verify there is traffic from the Log Collector to the Log Decoder in RSA Security Analytics / NetWitness Platform

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Sep 23, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000026818
Applies ToRSA Product Set: Security Analytics, Netwitness Logs & Network
RSA Product/Service Type: Log Collector, Log Decoder
RSA Version/Condition: 10.x, 11.x
Platform: CentOS
O/S Version: EL6, EL7
IssueSometimes for troubleshooting purposes, it is useful to check if the (local) Log Collector is forwarding traffic to the Log Decoder.
In this scenario, the Log Collector is in the same box as the Log Decoder.

Since the TCP Collector module inside the Log Collector forwards unstructured events to the Log Decoder on port 514 over TCP on the loopback address, you can perform a tcpdump to capture the traffic using the following command: 

tcpdump -i lo port 514

If you prefer to save the output to a pcap for offline analysis, then:

tcpdump -i lo port 514 -w <filename>.pcap



Legacy Article IDa65438