|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: Log Collector
RSA Version/Condition: 10.4.x, 10.5.0.x
Platform (Other): VMware
O/S Version: EL6
|Issue||VMware logs are not being collected by the RSA Log Collector after a period of time.|
The error message below is reported at random Event Counts when the command perl /etc/netwitness/ng/logcollection/content/collection/vmware/vmware-events/NwVmwareCollector.pl -events -server <VCenter IP> -username <user> -password <pass> -count N is executed.
Can't load class 'ArrayOfDatastoreEventArgument' at /usr/local/share/perl5/VMware/VIMRuntime.pm line 52.
Perl exited with active threads:
1 running and unjoined
0 finished and unjoined
0 running and detached
|Cause||This issue can be caused due to missing old logs from the VMware Event Source. |
This will be permanently fixed in RSA Security Analytics 10.5.1.
|Workaround||A workaround for the issue is to modify the time stamp in the VMware XML file in order for the collection to only capture events that are not older than 3 - 4 months old.|
Follow the steps below to perform the procedure.
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.
- Test if error is produced with command below, specifying a start date that is not older than 3-4 months using the -startTime argument.
For example: -startTime "2015-06-08T01:54:13.894Z
perl /etc/netwitness/ng/logcollection/content/collection/vmware/vmware-events/NwVmwareCollector.pl -events -server <VCenter IP> -username <user> -password <pass> -count 10000 -startTime <yyyy-mm-ddThh:mm:ss.ms>
If the command works without any errors, proceed to Step 2.
- Stop the Log Collector service with the command below.
- Navigate to the VMware event source directory.
- Use the vi editor to edit the appropriate XML file.
- Modify the "time" value to be 3 or 4 months back, as shown below.
<?xml version="1.0" encoding="utf-8"?>
- Save the file by hitting the Escape key and entering :wq! at the prompt.
- Start the Log Collector service again.