000030364 - Lockbox related errors are seen on a Log Collector after applying STIG in RSA Security Analytics 10.4.x

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000030364
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Log Collector, Security Analytics UI
RSA Version/Condition: 10.4.x
Platform: CentOS
O/S Version: EL6
IssueAfter configuring a Log Collector with a lockbox and event sources and then applying STIG, errors will be seen when attempting to collect events or configure the event sources that appear similar to the example below.
 
Sep  1 05:18:44 LogCollector nw[2775]: [BufferedChannel] [info] BufferedChannel created.  name: BufferedChannel_vmware_vmware; buffer_size: 1000; persistence_dir: /var/netwitness/logcollector/runtime
Sep  1 05:18:44 LogCollector nw[2775]: [VmwareCollection] [info] vmware, vmware started.
Sep  1 05:18:44 LogCollector nw[2775]: [EncryptionWrapper] [info] key was not found: failed to open lockbox: The lockbox stable value threshold was not met because the system fingerprint has changed. To reset the system fingerprint, open the lockbox using the passphrase.
Sep  1 05:18:44 LogCollector nw[2775]: [EncryptionWrapper] [failure] failed to open lockbox: The lockbox stable value threshold was not met because the system fingerprint has changed. To reset the system fingerprint, open the lockbox using the passphrase.
Sep  1 05:18:44 LogCollector nw[2775]: [VmwareCollection] [failure] [vmware-tasks.SAVC] [idle] [WorkUnit] [init] Failed to decrypt password: decryption failed
Sep  1 05:18:49 LogCollector nw[2775]: [Engine] [info] Child process 17514 sent signal code: exited, child exit code: 1
CauseThis issue occurs because applying STIG causes the system fingerprint to change.
ResolutionIn order to resolve the issue, reset the system fingerprint by following the steps below.
  1. In the Security Analytics UI, navigate to the Administration -> Services view.
  2. Click on the red Actions button for the Log Collector service and select View -> Config.
  3. Click on the Settings tab.
  4. Under the Reset Stable System Value section, enter the lockbox password and click on the respective Apply button.
     User-added image
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.

Attachments

    Outcomes