|Applies To||RSA Security Analytics|
RSA Security Analytics 10.3
RSA Security Analytics Log Decoder
RSA Security Analytics Log Collector
|Issue||Log Decoder getting unidentified content received on receiver from 127.0.0.1 in RSA Security Analytics.|
The Log Decoder /var/log/messages file shows the following warning message: Unidentified content received on receiver from 127.0.0.1.
The /var/log/messages file on the Log Decoder displays an error message similar to the examples below.
When the Log Decoder finds that the message sent to it is not in syslog format (RFC-5424), it logs it as a warning with the malformed event displayed.
The text displayed as a base64 encoded string is likely because the malformed event contains non-printable characters. The Log Decoder Base64-encodes the entire data, and logs it as a warning so that, while troubleshooting later, a programmer can retrieve the warning, Base64-decode the data and find out the actual log that was sent to Log Decoder. For additional information on this process and to decode Base64 text, refer to http://www.base64decode.org/ or a similar website.
The following is an example of decoding a Base64 string: 'bS8NCkFjY2VwdC1MYW5ndWFnZTogZW4tVVMNClVzZXItQWdlbnQ6IE1vemls' = 'm/\r\nAccept-Language: en-US\r\nUser-Agent: Mozil'.
This example indicates that the Log Collector transformation is not working correctly for certain device messages with multiple lines.
In order to resolve the issue, follow the recommendations below.
Ensure that the Log Collector is deployed with the latest transformation files. This can be performed by following the steps below.
NOTE: For some device types, the transform file is deployed on the Log Collector in the /etc/netwitness/ng/logcollection/content/transform directory.
Run the netstat command to check which services have connections to the TCP port 514 on the Log Decoder appliance, as shown below. (Expect to find only NwLogDecoder and NwLogCollector connections.)
In this example the rsyslogd connection is unexpected.
Check the /etc/rsyslog.conf to ensure that it is configured correctly. See the lines below, which appear at the end of the rsyslog.conf file.
NOTE: When using "@@10.3.28.196:514" (double @@), this configures the rsyslogd to re-send syslog messages received by it to TCP/514.
To configure rsyslogd to send syslog messages to UDP/514, make the entry in rsyslog.conf as ?@10.3.28.196:514? (single @).
Disable the rsyslogd daemon from sending syslog messages to the Log Decoder. This can be done by editing the /etc/rsyslog.conf and commenting out the line that appears similar to the following:
After making the change and saving the file, restart the rsyslog service with the following commands:
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.
You may also attempt to capture more details about the multi-line message being passed from the Log Collector to the Log Decoder with a packet capture of syslog traffic, issuing the command below.
|Legacy Article ID||a67088|