000031348 - RSA enVision NIC Windows Service stopped working

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000031348
Applies ToRSA Product Set: enVision

RSA Product/Service Type: enVision Core

RSA Version/Condition: 4.1 SP1 

Platform: Windows

O/S Version: 2008R2/2003

Product Description: RSA enVision ES/LS
Issue

  • When storage locations for enVision single appliance "ES" or Multi-appliance environment 
    "LS"  run out of storage-space, enVision NIC-related services get's shut-down through "pi_diskusage" exe file.



  • Upon clearing out the storage problem and starting back NIC-services the collection for NIC Windows service/Agent-less service will not resume it's pulling of logs from MS windows servers normally. 



 

Cause

  •  Storage location  runs out of free-space, hence collection services get's disrupted. 


  •  enVision  not pulling logs from MS Windows-based servers. 

ResolutionRe-create a new .POS "position" file:
 
  1. POS file hosts the UTC and record ID of the last collected event(s) for the MS-windows  2003/2008 servers integrated with RSA enVision. 
  2. POS file paths:
  • For single-appliance [ES] "POS file will be stored locally on the server":
 Path: E:\nic\csd\config\iwndows\lonely\pos

  • For Multi-appliance [LS] "POS file will be stored over the NAS storage":
  Path: \\NAS IP\\vol0\nic\csd\config\windows\LC1\pos
 

3. Based on your "RSA enVision" setup [ES or LS], delete the "POS" file from the above mentioned paths.
4. Restart NIC Service Manager & NIC Windows Service on your ES appliance or on your "LC" collector in case of an LS multi-appliance environment. 
5. Go to the path  where the POS is stored and notice that a new POS has been created. 
6. On your GUI, Go to Analysis tab > event viewer > message view and you will be able to see real-time logs  indicating that NIC Windows service has started back pulling events from your MS Windows Server(s). 

Attachments

    Outcomes