000033973 - RSA Security Operations Management not aggregating Events properly when using Syslog

Document created by RSA Customer Support Employee on Sep 8, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000033973
Applies ToRSA Product Set: Security Management
RSA Product/Service Type: SecOps
RSA Version/Condition: 1.3
Platform: Windows
 
Issue1.  Have a syslog data source sending Alerts over to RSA Archer SecOps 1.3
2.  Change the Incident Status field value from "New" to any other value (Assigned for example).
3.  Save the Incident Record.
4.  Notice when additional Security Events and/or Alerts come through, a new Security Incident is not created.
5.  Notice that the Security Event is created but is not associated to any Security Alert or Security Incident.
Here is an example of the error reported in the Collector.log file:
14 Mar 2016 15:46:28,909 | ERROR - AbstractStep.execute(225) | Encountered an error executing step sendSylogIncidentToArcher in job pushSyslogEvents
com.rsa.connector.framework.components.datastore.archer.exception.ArcherComunicationException: javax.xml.ws.soap.SOAPFaultException: Server was unable to process request. ---> The content XXXXXX in field Security Alerts violates the maximum value of 1 established in the related field.
The content XXXXXXX in field Security Alerts violates the maximum value of 1 established in the related field.

 at com.rsa.srm.collector.messaging.batch.SyslogIncidentAddedTasklet.executeMessage(SyslogIncidentAddedTasklet.java:229)
 at com.rsa.srm.collector.messaging.batch.SyslogIncidentAddedTasklet.parseMessage(SyslogIncidentAddedTasklet.java:157)
 at com.rsa.srm.collector.messaging.batch.SyslogIncidentAddedTasklet.execute(SyslogIncidentAddedTasklet.java:121)
 at org.springframework.batch.core.step.tasklet.TaskletStep$ChunkTransactionCallback.doInTransaction(TaskletStep.java:406)
 at org.springframework.batch.core.step.tasklet.TaskletStep$ChunkTransactionCallback.doInTransaction(TaskletStep.java:330)
 at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:133)
 at org.springframework.batch.core.step.tasklet.TaskletStep$2.doInChunkContext(TaskletStep.java:271)
 at org.springframework.batch.core.scope.context.StepContextRepeatCallback.doInIteration(StepContextRepeatCallback.java:77)
 at org.springframework.batch.repeat.support.RepeatTemplate.getNextResult(RepeatTemplate.java:368)
 at org.springframework.batch.repeat.support.RepeatTemplate.executeInternal(RepeatTemplate.java:215)
 at org.springframework.batch.repeat.support.RepeatTemplate.iterate(RepeatTemplate.java:144)
 at org.springframework.batch.core.step.tasklet.TaskletStep.doExecute(TaskletStep.java:257)
 at org.springframework.batch.core.step.AbstractStep.execute(AbstractStep.java:198)
 at org.springframework.batch.core.job.SimpleStepHandler.handleStep(SimpleStepHandler.java:148)
 at org.springframework.batch.core.job.flow.JobFlowExecutor.executeStep(JobFlowExecutor.java:64)
 at org.springframework.batch.core.job.flow.support.state.StepState.handle(StepState.java:67)
 at org.springframework.batch.core.job.flow.support.SimpleFlow.resume(SimpleFlow.java:165)
 at org.springframework.batch.core.job.flow.support.SimpleFlow.start(SimpleFlow.java:144)
 at org.springframework.batch.core.job.flow.FlowJob.doExecute(FlowJob.java:134)
 at org.springframework.batch.core.job.AbstractJob.execute(AbstractJob.java:304)
 at com.rsa.srm.collector.batch.PasswordAwareSimpleJobLauncher$1.run(PasswordAwareSimpleJobLauncher.java:99)
 at org.springframework.core.task.SyncTaskExecutor.execute(SyncTaskExecutor.java:50)
 at com.rsa.srm.collector.batch.PasswordAwareSimpleJobLauncher.run(PasswordAwareSimpleJobLauncher.java:93)
 at com.rsa.srm.collector.syslog.listener.SyslogMessageHandler$QueueWorker.executeWorkflow(SyslogMessageHandler.java:170)
 at com.rsa.srm.collector.syslog.listener.SyslogMessageHandler$QueueWorker.run(SyslogMessageHandler.java:157)
Caused by: javax.xml.ws.soap.SOAPFaultException: Server was unable to process request. ---> The content 318493 in field Security Alerts violates the maximum value of 1 established in the related field.
The content XXXXXXX in field Security Alerts violates the maximum value of 1 established in the related field.
 at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:158)
 at com.sun.proxy.$Proxy76.createRecord(Unknown Source)
 at com.rsa.connector.framework.components.datastore.archer.ArcherWSHelper$CreateRecordCallback.call(ArcherWSHelper.java:721)
 at com.rsa.connector.framework.components.datastore.archer.ArcherWSHelper.callArcher(ArcherWSHelper.java:399)
 at com.rsa.connector.framework.components.datastore.archer.ArcherWSHelper.createRecord(ArcherWSHelper.java:324)
 at com.rsa.connector.framework.components.datastore.archer.ArcherWSHelper.writeRecord(ArcherWSHelper.java:290)
 at com.rsa.connector.framework.components.datastore.archer.ArcherWSHelper.createRecord(ArcherWSHelper.java:213)
 at com.rsa.connector.framework.components.datastore.archer.ArcherDataStore.putData(ArcherDataStore.java:594)
 at com.rsa.connector.framework.components.datastore.archer.ArcherDataStore.handleData(ArcherDataStore.java:443)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
 at java.lang.reflect.Method.invoke(Unknown Source)
 at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
 at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190)
 at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
 at org.springframework.aop.framework.adapter.AfterReturningAdviceInterceptor.invoke(AfterReturningAdviceInterceptor.java:52)
 at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
 at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:92)
 at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
 at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:207)
 at com.sun.proxy.$Proxy28.handleData(Unknown Source)
 at com.rsa.srm.collector.messaging.batch.SyslogIncidentAddedTasklet.executeMessage(SyslogIncidentAddedTasklet.j
CauseThis is a known defect that was addressed via ARCHER-24810.
Resolution1.  If you must utilize SecOps 1.3, then you will need to utilize Security Analytics Incident Management (only available if your data source is Security Analytics).
2.  Upgrade to SecOps 1.3.1

Attachments

    Outcomes