000030519 - Checkpoint collection not working and reports the error "peer ended the session" in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000030519
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Security Analytics
RSA Version/Condition:  10.5.x,
Platform: CentOS
O/S Version: EL6
IssueCheckpoint log collection not working in Security Analytics 10.5.  The following event is recorded in the log file:

peer ended the session

ResolutionThis issue is currently being investigated by the Engineering team in order to resolve it in a future release.
WorkaroundTo resolve the issue, follow the steps below.
  1. Connect to the Log Collector via SSH as the root user.
  2. Stop the log collector with 
    stop nwlogcollector

  3. Make a backup and then remove the checkpoint position file . The name is dependent on the name of the CheckPoint source. (/var/netwitness/logcollector/runtime/checkpoint/eventsources/checkpoint.CP_Security.xml). If in doubt run
    ls /var/netwitness/logcollector/runtime/checkpoint/eventsources/*.xml
    mv /var/netwitness/logcollector/runtime/checkpoint/eventsources/checkpoint.CP_Security.xml /var/netwitness/logcollector/runtime/checkpoint/eventsources/checkpoint.CP_Security.xml.bak

  4. Restart the nwlogcollector service to regenerate the file.

  5. start nwlogcollector

  6. (Optional) Check to see if the Max Idle Time Poll is set to 0.  If so, you can set it to 5.