000031455 - RSA DLP How to debug Event Loader on Enterprise Manager EM when events are not mapped to incidents

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000031455
Applies ToRSA Product Set: RSA DLP
RSA Product/Service Type: Enterprise Manager/Datacenter
RSA Version/Condition: 9.6
Platform: Windows Server2008R2/2012
 
Issue
  • Events are not being  mapped to incidents over EM web-interface. 
  • Enable debug for event loader process  for the troubleshooting and analysis of any error within DLP Datacenter environment   or to verify that there isn't in-correct  configuration for  the used repository/grid-scan group or agent-scan group. 
  • Below is an example of miss-configuration that has been discovered when viewing eventloader.log file after enabling a DEBUG on it (steps are explained in next section):
23 Sep 2015 13:21:00,078 | ERROR - DiscoveryEventMapper.isGroupedByOwner(875) | A grid scan group is used for an agent scan!!! 
23 Sep 2015 13:21:00,078 | ERROR - DiscoveryEventMapper.mapAgentDiscoveryEvents(292) | FunctionalFlow - EventLoader_EventIncidentMapping: Unexpected error in mapping agent events: A grid scan group is used for an agent scan!!!
com.tablus.tem.service.impl.MappingException: A grid scan group is used for an agent scan!!!

 
Tasks
On your RSA DLP Enterprise Manager server please do the below prior running a  Datacenter scan:

      1. Go to the path: C:\Program Files(x86)\RSA\Enterprise Manager\webapps\root\WEB-INF\classes
       2. Open log4j.xml file with a notepad or wordpad to edit it: 
  • change level value for "com.rsa.xx" from it's existing value [INFO/WARN] to DEBUG
        3. Open eventloaderlog4j.xml  file with a notepad or wordpad to edit it: 

  •  change level value for "com.tablus" from it's existing value [ERROR] to DEBUG
         4. Launch a Datacenter scan and upon the successful completion of the scan, you can view &  start analyzing  both "em.log" & "eventloader.log" files which are located under the path:- 
  •  Path: C:\Program Files(x86)\RSA\Enterprise Manager\logs
     
  • Note:- Datacenter events will be rolled-up to Incidents only if the Scan is finished  properly without errors and if the final scan XML status  gets back to Enterprise Manager.

Attachments

    Outcomes