000011572 - RSA Security Analytics Concentrator aggregation is stopped due to missing roles in the Administrators group

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000011572
Applies ToRSA Security Analytics
RSA Security Analytics Decoder
RSA Security Analytics Concentrator
RSA Security Analytics Hybrid
RSA NetWitness NwConsole
REST API
IssueRSA Security Analytics Concentrator aggregation is stopped due to missing roles in the Administrators group.

The /var/log/messages file on the concentrator reports an error similar to the following:



[Aggregation] [failure] Failed to initialize device '192.168.1.5:50005' because User 'admin' does not have the required permission to send message 'getrecov'. This message requires one of the following role(s): concentrator.manage.. Device aggregation is being stopped.
[Aggregation] [failure] Failed to initialize device '192.168.1.5:50005' because user admin does not have the required permission to send message "getrecov". This message requires on of the following roles(s): decoder.manage.. Device aggregation is being stopped.



Navigating to Administration -> Devices in the Security Analytics UI, selecting the concentrator, and clicking on View -> Config displays a failed status on at least one device under the Aggregate Devices section.
Cause

This issue occurs because the Administrators group for the decoder and/or concentrator service level is missing one more more required roles in order to perform basic tasks.


Refer to the table below, which displays the required roles for the Administrators group for the decoder and concentrator services.



 Service Required Roles
 Decoder connections.manage,database.manage,decoder.manage,everyone,index.manage,logs.manage,owner,parsers.manage,rules.manage,sdk.content,sdk.manage,sdk.meta,services.manage,storedproc.execute,storedproc.manage,sys.manage,users.manage
 Concentrator concentrator.manage,connections.manage,database.manage,everyone,index.manage,logs.manage,owner,rules.manage,sdk.content,sdk.manage,sdk.meta,services.manage,storedproc.execute,storedproc.manage,sys.manage,users.manage


 
Resolution

In order to resolve the issue, the affected devices must be examined to ensure that they are not missing any of the required roles and to add those that are missing as necessary.  To perform this, follow one of the action plans below.


 


Method 1:  Using the REST API


  1. In a web browser, navigate to the User Groups page of the REST interface on the appliance.
         Decoder:  Navigate to http://<appliance_ip_address>:50104/users/groups  
         Concentrator:  Navigate to http://<appliance_ip_address>:50105/users/groups
  2. In the text box next to the Administrators group, enter the appropriate roles found in the table above and click the Set button.

 


Method 2:  Using the NwConsole Utility


  1. Connect to the appliance via SSH as the root user.
  2. Open the NwConsole utility with the following command:  NwConsole
  3. Login to the appropriate service level using one of the commands below, entering the password when prompted.
         Decoder:  login localhost:50004 admin
         Concentrator:  login localhost:50005 admin
  4. Display the current roles for the Administrators group with the following command:  /users/groups/Administrators get
  5. Issue the appropriate command below as necessary to add all of the required roles to the group.
         Decoder:  /users/groups/Administrators set value=connections.manage,database.manage,decoder.manage,everyone,index.manage,logs.manage,owner,parsers.manage,rules.manage,sdk.content,sdk.manage,sdk.meta,services.manage,storedproc.execute,storedproc.manage,sys.manage,users.manage
         Concentrator:  /users/groups/Administrators set value=concentrator.manage,connections.manage,database.manage,everyone,index.manage,logs.manage,owner,rules.manage,sdk.content,sdk.manage,sdk.meta,services.manage,storedproc.execute,storedproc.manage,sys.manage,users.manage

 


After configuring the Administrators group with the new roles, it will be necessary to restart the nwdecoder and/or nwconcentrator services for the appliances in order for the changes to take effect.  It may also be necessary to stop and start aggregation on the concentrator to allow the decoder to report a Consuming status.


 


If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.

Legacy Article IDa67968

Attachments

    Outcomes