|Applies To||RSA Product Set: NetWitness Logs & Network|
RSA Product/Service Type: Log Decoder
RSA Version/Condition: 10.6.x, 11.x
|Issue||Log Decoder getting unidentified content received on receiver from 127.0.0.1 in RSA NetWitness|
The Log Decoder /var/log/messages file shows the following warning message: Unidentified content received on receiver from 127.0.0.1.
The /var/log/messages file on the Log Decoder displays an error message similar to the examples below.
When the Log Decoder finds that the message sent to it is not in syslog format (RFC-5424), it logs it as a warning with the malformed event displayed.
The text displayed as a base64 encoded string is likely because the malformed event contains non-printable characters. The Log Decoder Base64-encodes the entire data, and logs it as a warning so that, while troubleshooting later, a programmer can retrieve the warning, Base64-decode the data and find out the actual log that was sent to Log Decoder. For additional information on this process and to decode Base64 text, refer to http://www.base64decode.org/ or a similar website.
The following is an example of decoding a Base64 string: 'bS8NCkFjY2VwdC1MYW5ndWFnZTogZW4tVVMNClVzZXItQWdlbnQ6IE1vemls' = 'm/\r\nAccept-Language: en-US\r\nUser-Agent: Mozil'.
This example indicates that the Log Collector transformation is not working correctly for certain device messages with multiple lines.
In order to resolve the issue, follow the recommendations below.
NOTE: For some device types, the transform file is deployed on the Log Collector in the /etc/netwitness/ng/logcollection/content/transform directory.
In this example the rsyslogd connection is unexpected.
NOTE: When using "@@10.3.28.196:514" (double @@), this configures the rsyslogd to re-send syslog messages received by it to TCP/514.
To configure rsyslogd to send syslog messages to UDP/514, make the entry in rsyslog.conf as ?@10.3.28.196:514? (single @).
Disable the rsyslogd daemon from sending syslog messages to the Log Decoder. This can be done by editing the /etc/rsyslog.conf and commenting out the line that appears similar to the following:
After making the change and saving the file, restart the rsyslog service with the following commands:
You may also attempt to capture more details about the multi-line message being passed from the Log Collector to the Log Decoder with a packet capture of syslog traffic, issuing the command below.
|Legacy Article ID||a67088|