000031060 - VMware events are not being collected in RSA Security Analytics 10.4.x and 10.5.0.x

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000031060
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Log Collector
RSA Version/Condition: 10.4.x, 10.5.0.x
Platform: CentOS
Platform (Other): VMware
O/S Version: EL6
IssueVMware logs are not being collected by the RSA Log Collector after a period of time.
The error message below is reported at random Event Counts when the command perl /etc/netwitness/ng/logcollection/content/collection/vmware/vmware-events/NwVmwareCollector.pl -events -server <VCenter IP>  -username <user> -password <pass> -count N is executed.
Can't load class 'ArrayOfDatastoreEventArgument' at /usr/local/share/perl5/VMware/VIMRuntime.pm line 52.
Perl exited with active threads:
        1 running and unjoined
        0 finished and unjoined
        0 running and detached

CauseThis issue can be caused due to missing old logs from the VMware Event Source. 
This will be permanently fixed in RSA Security Analytics 10.5.1.
WorkaroundA workaround for the issue is to modify the time stamp in the VMware XML file in order for the collection to only capture events that are not older than 3 - 4 months old.
Follow the steps below to perform the procedure.
  1. Test if error is produced with command below, specifying a start date that is not older than 3-4 months using the -startTime argument.
         For example: -startTime "2015-06-08T01:54:13.894Z
    perl /etc/netwitness/ng/logcollection/content/collection/vmware/vmware-events/NwVmwareCollector.pl -events -server <VCenter IP>  -username <user> -password <pass> -count 10000 -startTime <yyyy-mm-ddThh:mm:ss.ms>

    If the command works without any errors, proceed to Step 2.
  2. Stop the Log Collector service with the command below.
    stop nwlogcollector

  3. Navigate to the VMware event source directory.
    cd /var/netwitness/logcollector/runtime/vmware/eventsources

  4. Use the vi editor to edit the appropriate XML file.
    vi vmware-events.<EventSource>.xml

  5. Modify the "time" value to be 3 or 4 months back, as shown below.
    <?xml version="1.0" encoding="utf-8"?>
    <ptime>2015-Jul-30 07:49:40.122490</ptime>

  6. Save the file by hitting the Escape key and entering :wq! at the prompt.
  7. Start the Log Collector service again.
    start nwlogcollector

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.