Log Collection Config: Troubleshoot Log Collection Configuration

Document created by RSA Information Design and Development on Jul 29, 2016
Version 1Show Document
  • View in full screen mode
 

This topic highlights possible problems that you may encounter when you configure Log Collection and suggested solutions to these problems.

Troubleshoot Remote Collector Configuration Issues

The log messages in the following table are sent to:

  • For the Push Events to Local Collectorsconfiguration - C:\NetWitness\ng\logcollector\rabbitmq\log\logcollector@localhost.log on the Windows Legacy Collector server.
  • For Pull Events from Remote Collectorconfiguration -  /var/log/rabbitmq/sa@localhost.log on Log Decoder host server on which the Local Collector is running.
            
Log
Messages
Log message with "certificate expired' as part of the message.  For example:

Any =ERROR REPORT==== 7-Apr-2015::11:02:07 ===
SSL: cipher: tls_connection.erl:375:Fatal error: certificate expired

=ERROR REPORT==== 7-Apr-2015::11:02:07 ===
Shovel failed to connect to Host: "10.31.204.240" Port: 5671 VirtualHost: <<"logcollection">>: error:{badmatch,
                                                                                                             {error,
                                                                                                               {tls_alert,
                                                                                                                "certificate expired"}}}
Possible CausesThe high-level cause of a certificate expired log message is that the SA service host clock (date/time) and one or more hosts running the logcollector service clocks are not synchronized. The following scenarios can cause this error. 

The SA service host and the Local Collector host clocks are synchronized, but the Windows Legacy Collector (WLC) clock is:
  • Cause 1 - Ahead (in the future) of the Local Collector host and the SA host.
  • Cause 2 - Behind (in the past) of the Local Collector host and the SA host.
    Having the WLC clock in the past works if the WLC is configured to push events to the Local Collector.  However, if the Local Collector is configured to pull event from the WLC, the WLC reads the Local Collector certificate as invalid because it has a date ahead (in the future) of the WLC. 
SolutionsFor either cause, make sure that the clocks for SA host and all Remote and Local Collector hosts are synchronized.
  • Cause 1 - For a Legacy Windows Remote Collector, you may need to do a "rekey" if the certificate was created at a time that is "in the future" as compared to the Local Collector and Security Analytics. To do this:
    1. Select the Log Collector service for the Legacy Windows Remote Collector from the Services view.
    2. Click View > Explore.
    3. Right-click /event-broker/ssl and click Properties.
      The Properties dialog is displayed.
    4. Regenerate the certificate with the rekey command in the Properties dialog.
    5. Exchange the new certificate with Security Analytics by removing and re-adding the windows Legacy Windows logcollector service in Security Analytics.
  • Cause 2 -Synchronize the WLC with the LC.

Troubleshoot Collection Issues

Please refer to the troubleshooting instructions for each collection protocol for issues related to those protocols:

You are here: Log Collection Configuration Guide > Troubleshoot Log Collection Configuration

Attachments

    Outcomes