000032520 - How to restore an RSA Security Analytics Log Collector configuration that was accidentally deleted

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000032520
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Log Collector
TasksEvery time a change is made to the event source configuration, a backup file of the configuration is created here:  /etc/netwitness/ng/NwLogCollector.cfg.x
To restore from the backup perform the following steps:
  1. Stop the Log Collector service.
    stop nwlogcollector

  2. Navigate to the /etc/netwitness/ng directory.
    cd /etc/netwitness/ng

  3. Create a backup of the NwLogcollector.cfg file as well as the Nwlogcollector.cfg.x file that will be restored.
  4. Check the contents of the file to be restored and make sure the deleted event source is available.
  5. Move the NwLogcollector.cfg file to another directory (e.g. /root) and rename Nwlogcollector.cfg.x to be Nwlogcollector.cfg instead.
  6. Start the Log Collector service again.
    start nwlogcollector

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.