|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: SA Security Analytics
RSA Version/Condition: 10.5.x, 10.6.0.0
O/S Version: EL6
|Issue||Checkpoint log collection not working in Security Analytics 10.5. The following event is recorded in the log file:|
|Resolution||This issue is currently being investigated by the Engineering team in order to resolve it in a future release.|
|Workaround||To resolve the issue, follow the steps below.|
- Connect to the Log Collector via SSH as the root user.
- Stop the log collector with
- Make a backup and then remove the checkpoint position file . The name is dependent on the name of the CheckPoint source. (/var/netwitness/logcollector/runtime/checkpoint/eventsources/checkpoint.CP_Security.xml). If in doubt run
mv /var/netwitness/logcollector/runtime/checkpoint/eventsources/checkpoint.CP_Security.xml /var/netwitness/logcollector/runtime/checkpoint/eventsources/checkpoint.CP_Security.xml.bak
- Restart the nwlogcollector service to regenerate the file.
- (Optional) Check to see if the Max Idle Time Poll is set to 0. If so, you can set it to 5.