000031348 - RSA enVision NIC Windows Service stopped working

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jun 26, 2018
Version 3Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000031348
Applies ToRSA Product Set: enVision

RSA Product/Service Type: enVision Core

RSA Version/Condition: 4.1 SP1 

Platform: Windows

O/S Version: 2008R2/2003

Product Description: RSA enVision ES/LS
Issue

  • When storage locations for enVision single appliance "ES" or Multi-appliance environment 
    "LS"  run out of storage-space, enVision NIC-related services get's shut-down through "pi_diskusage" exe file.



  • Upon clearing out the storage problem and starting back NIC-services the collection for NIC Windows service/Agent-less service will not resume it's pulling of logs from MS windows servers normally. 




 

Cause

  •  Storage location  runs out of free-space, hence collection services get's disrupted. 


  •  enVision  not pulling logs from MS Windows-based servers. 

ResolutionRe-create a new .POS "position" file:
 
  1. POS file hosts the UTC and records ID of the last collected event(s) for the MS-windows  2003/2008 servers integrated with RSA enVision. 
  2. POS file paths:

  • For single-appliance [ES] "POS file will be stored locally on the server":

 Path: E:\nic\csd\config\iwndows\lonely\pos


  • For Multi-appliance [LS] "POS file will be stored over the NAS storage":

  Path: \\NAS IP\\vol0\nic\csd\config\windows\LC1\pos
 


3. Based on your "RSA enVision" setup [ES or LS], delete the "POS" file from the above mentioned paths.

4. Restart NIC Service Manager & NIC Windows Service on your ES appliance or on your "LC" collector in case of an LS multi-appliance environment. 

5. Go to the path where the POS is stored and notice that a new POS has been created. 

6. On your GUI, Go to Analysis tab > event viewer > message view and you will be able to see real-time logs indicating that NIC Windows service has started back pulling events from your MS Windows Server(s). 

Attachments

    Outcomes