000029448 - Security Analytics 10.4: Unable to receive logs when configuring a Windows Legacy Collector to push logs to a Local Collector on a All-In-One appliance

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000029448
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 10.4
 
IssueFirst, reference the screenshot below....
User-added image
Observe that when configuring a Windows Legacy log collector to push logs to a local collector, the logs cannot be seen in Investigator when the platform is an "All In One" Security Analytics appliance.  Also of significance is that the the collector status is green.
Further investigation shows that the Windows Legacy Collector logs does in fact collect and process events successfully, but no events can be seen in either Investigator or the Log Decoder stats views.
A tcpdump on the Local Collector on port 5671 for traffic coming from the Windows Legacy Collector shows no traffic (tcpdump src WLC-IP and port 5671).  This indicates that the Windows Legacy Collector is unable to communicate with the Local Collector. 
The rabbitmq logs on the Windows Legacy Collector (C:\NetWitness\ng\logcollector\rabbitmq\log\logcollector@localhost) show the following errors:
16-Jan-2015::13:53:54 ===
** Generic server nw_log_forwarder_worker terminating 
** Last message in was {'$gen_cast',<<"info 2015-01-16T18.53.54Z Server startup complete; 11 plugins started.\n * amqp_client\n * mochiweb\n * nw_admin\n * rabbitmq_auth_mechanism_ssl\n * rabbitmq_management\n * rabbitmq_management_agent\n * rabbitmq_shovel\n * rabbitmq_shovel\n * rabbitmq_shovel_management\n * rabbitmq_web_dispatch\n * webmachine\n\n">>}
** When Server state == {state,undefined}
** Reason for termination == 
** {{badmatch,{error,{auth_failure,"Refused"}}},
    [{nw_log_forwarder_worker,get_channel,0,
                              [{file,"d:/hudson/workspace/ngc-trunk-windows-stability-build/src/NwLogCollection/nw_admin/nw_log_forwarder_worker.erl"},
                               {line,74}]},
     {nw_log_forwarder_worker,handle_cast,2,
                              [{file,"d:/hudson/workspace/ngc-trunk-windows-stability-build/src/NwLogCollection/nw_admin/nw_log_forwarder_worker.erl"},
                               {line,37}]},
     {gen_server,handle_msg,5,[{file,"gen_server.erl"},{line,607}]},
     {proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,227}]}]}
=ERROR REPORT==== 16-Jan-2015::13:53:54 ===
** Generic server nw_log_forwarder_worker terminating 
** Last message in was {'$gen_cast',<<"error 2015-01-16T18.53.54Z ** Generic server nw_log_forwarder_worker terminating \n** Last message in was {'$gen_cast',<<\"info 2015-01-16T18.53.54Z Server startup complete; 11 plugins started.\\n * amqp_client\\n * mochiweb\\n * nw_admin\\n * rabbitmq_auth_mechanism_ssl\\n * rabbitmq_management\\n * rabbitmq_management_agent\\n * rabbitmq_shovel\\n * rabbitmq_shovel\\n * rabbitmq_shovel_management\\n * rabbitmq_web_dispatch\\n * webmachine\\n\\n\">>}\n** When Server state == {state,undefined}\n** Reason for termination == \n** {{badmatch,{error,{auth_failure,\"Refused\"}}}
CauseIf the Local Collector service has been configured to use the loopback interface address (127.0.0.1) instead of the local physical IP address (eg. 192.168.1.100) in the SA UI appliance view, th is problem will occur.

 
ResolutionConfigure all the All-In-One appliance services (included the Local Collector) to use the physical IP address vs the loopback ipv4 address (127.0.0.1) for communication, excluding the Reporting Engine  as noted by the documentation here:
 
https://sadocs.emc.com/0_en-us/090_10.4_User_Guide/120_ApplServConf/RepEngConfGde/10_ConfRE/10_AddRE )
Observe these screenshots:
User-added image

User-added image


 
NotesA similar issue may also occur with a Virtual Log Collector.
See the following KB article:
unable to configure a remote collector to push logs to a local collector on a All-In-One appliance

Attachments

    Outcomes