000029577 - Duplicate queue called "Logdecoder" appears on event processors after upgrading from 10.0 through 10.3 Security Analytics to Security Analytics 10.4.X

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029577
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Log Collector, Log Decoder
RSA Version/Condition: 10.0, 10.1, 10.2, 10.3
IssueLog Decoder / Log Collector appliances which are upgraded from older versions of SA may contain a script that causes the incorrect creation of 2 queues of similar names: "Logdecoder" (with a capital  "L") and "logdecoder" (with a lower case "l").  Should this occur, the named queue with the upper case "L" should be removed.
ResolutionTo remove the duplicate Log Decoder queue on event processors do the following from the SA UI as an administrative account:
1 - Go to explorer view in the Log Collector (the Log Decoder device), then click:
Explorer -> expand the event processors -> right click on the Logdecoder select properties -> on the properties section, then on the drop down menu select stop 
2 -  Explorer  -> event processors -> right click properties -> on the properties section on the drop down menu, select remove from the parameters box, then type name=Logdecoder and then click Send
 

3 - This can take few minutes to complete. After completion, refresh the web page, then check the 
Explorer -> expand the event processors.  Only logdecoder with small "l" should be present.

Attachments

    Outcomes