|Applies To||RSA Product Set: NetWitness Logs & Packets|
RSA Product/Service Type: Decoder, Concentrator, Hybrid,
RSA Version/Condition: 10.x, 11.x
O/S Version: EL6, EL7
|Issue||RSA Security Analytics Concentrator aggregation is stopped due to missing roles in the Administrators group.|
The /var/log/messages file on the concentrator reports an error similar to the following:
Navigating to Administration -> Devices in the Security Analytics UI, selecting the concentrator, and clicking on View -> Config displays a failed status on at least one device under the Aggregate Devices section.
This issue occurs because the Administrators group for the decoder and/or concentrator service level is missing one more more required roles in order to perform basic tasks.
Refer to the table below, which displays the required roles for the Administrators group for the decoder and concentrator services.
In order to resolve the issue, the affected devices must be examined to ensure that they are not missing any of the required roles and to add those that are missing as necessary. To perform this, follow one of the action plans below.
Method 1: Using the REST API
Method 2: Using the NwConsole Utility
After configuring the Administrators group with the new roles, it will be necessary to restart the nwdecoder and/or nwconcentrator services for the appliances in order for the changes to take effect. It may also be necessary to stop and start aggregation on the concentrator to allow the decoder to report a Consuming status.
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.
|Legacy Article ID||a67968|