000030374 - Repeated errors are seen when a domain name is not resolvable from a Windows Legacy Collector server in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000030374
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Windows Legacy Collector
RSA Version/Condition: 10.4.x, 10.5.x
Platform: CentOS, Windows Server
IssueWhen trying to access Windows logs from a machine in a domain/workgroup in another domain, if that machine's domain name is not resolvable by the Windows Legacy Collector instance, then an error message similar to the example below will be reported for every event that is collected.
id=8106858  time=1398847139  level=failure  module=WindowsLegacyCollection  msg=[windows.Win2K8_2.sys_2] [processing] [WorkUnit] [processing] <ip_address>,System sGetDcName failed with error 1212 for the DC
WorkaroundIn order to prevent the errors from being reported for each event, add the domain entry for the machine that is not resolvable into the hosts file of the Windows Legacy Collector server.
NotesBelow is a screenshot of the hosts file that must be edited.
User-added image

Attachments

    Outcomes