Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000030430 - ODBC event collection fails with message "Unable to execute statement: Statement: exec nic_aud_swap_trace" in RSA Security Analytics

Document created by RSA Customer Support

on Jun 14, 2016•Last modified by RSA Customer Support on Sep 26, 2019

Version 4Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000030430
Applies To	RSA Product Set: Security Analytics. RSA NetWitness Logs and Network RSA Product/Service Type: Log Collector, ODBC Log Collection Platform: CentOS 6,7 Platform (Other): Microsoft Windows, Microsoft SQL Server
Issue	ODBC Log Collection to a Microsoft SQL Database fails due to a trace file becoming corrupted. The Trace File directory on the SQL Server will continue filling with logs until this situation is resolved. In the /var/log/messages file on the Log Collector, messages similar to the following will be seen. un 5 07:59:45 REMOTELOGCOL nw[1955]: [OdbcCollection] [failure] [mssql.MSSQL] [processing] [MSSQL] [processing] An error occurred collecting ODBC events using query tag MSSQL. Error: Unable to execute statement: Statement: "exec nic_aud_swap_trace 30, 'c:\MyTraceFiles\', 1, 'WHERE StartTime > 2015-06-04 17:04:42.110'"; Reason: state: S1000; error-code: 140071768425015; description: [RSA][ODBC SQL Server Wire Protocol driver][Microsoft SQL Server]File 'c:\MyTraceFiles\-4.trc' either does not exist or is not a recognizable trace file. Or there was an error opening the file. The important error to observe is below. Error: Unable to execute statement: Statement: "exec nic_aud_swap_trace 30, 'c:\MyTraceFiles\', In this example, c:\MyTraceFiles is the directory where the Tracefiles are being stored on the MS SQL Server.
Cause	A trace file has become corrupted which prevents the Log Collector from collecting further files. Ensure that the trace file directory is excluded from any software that may also lock files in this directory. Examples of such software include anti-virus or third-party backup software.
Resolution	To resolve the issue: Obtain access to the Microsoft SQL Server with Microsoft SQL Server Management Studio Navigate to the Master Database Run the db.nic_aud_init_trace stored procedure. To preserve data, make sure that a NULL value is parsed. Otherwise, trace files will be deleted and not processed. The screenshots below illustrate this process The Trace files will then be processed correctly.
Notes	All screenshots come from an internal test machine and contain no sensitive information.

Attachments

Outcomes

0 Comments

Recommended Content

Incoming Links