Article Number | 000030519 |
Applies To | RSA Product Set: Security Analytics RSA Product/Service Type: SA Security Analytics RSA Version/Condition: 10.5.x, 10.6.0.0 Platform: CentOS O/S Version: EL6 |
Issue | Checkpoint log collection not working in Security Analytics 10.5. The following event is recorded in the log file:
|
Resolution | This issue is currently being investigated by the Engineering team in order to resolve it in a future release. |
Workaround | To resolve the issue, follow the steps below.
- Connect to the Log Collector via SSH as the root user.
- Stop the log collector with
stop nwlogcollector - Make a backup and then remove the checkpoint position file . The name is dependent on the name of the CheckPoint source. (/var/netwitness/logcollector/runtime/checkpoint/eventsources/checkpoint.CP_Security.xml). If in doubt run
ls /var/netwitness/logcollector/runtime/checkpoint/eventsources/*.xml mv /var/netwitness/logcollector/runtime/checkpoint/eventsources/checkpoint.CP_Security.xml /var/netwitness/logcollector/runtime/checkpoint/eventsources/checkpoint.CP_Security.xml.bak - Restart the nwlogcollector service to regenerate the file.
start nwlogcollector - (Optional) Check to see if the Max Idle Time Poll is set to 0. If so, you can set it to 5.
|