000034225 - RSA Security Analytics IM service immediately stops after being started

Document created by RSA Customer Support Employee on Oct 26, 2016Last modified by RSA Customer Support on May 6, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000034225
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type:
Incident Management
RSA Version/Condition: 10.4.x, 10.5.x, 10.6.x
Platform: CentOS
O/S Version: 6

 
Issue
The RSA Security Analytics IM service immediately stops after being started.
  
   Pressing the "Test Connection" button in the "Add Device" or "Edit Device" dialog boxes displays the following error:  
  

Test Connection Failed


  

When checking the status of the IM service, the service is found not to be running. 



  

[root@SACSSA ~]# service rsa-im status
RSA NetWitness IM :: Server is not running.


  

Attempting to start the service is successful:



  

[root@SACSSA ~]# service rsa-im start
Starting RSA NetWitness IM :: Server...

[root@SACSSA ~]# service rsa-im status
RSA NetWitness IM :: Server is running (3718).


  

However, after a few seconds, the following 2 commands indicate that the service is no longer listening, as the service has stopped again.



  

[root@SACSSA ~]# netstat -anp | grep :50040

[root@SACSSA ~]# service rsa-im status
RSA NetWitness IM :: Server is not running

   The following error message appears in the /opt/rsa/im/logs/im.log file:

  

\[pool-5-thread-109] ERROR com.rsa.smc.im.integration.IncidentMessageBusImporter - Error occurred in the onMessage methodTimed out
while waiting for a server that matches AnyServerSelector{} after 10000 ms ; nested exception is com.mongodb.MongoTimeoutException:
Timed out while waiting for a server that matches AnyServerSelector{} after 10000 ms

    

  

 


  
 
Cause

The issue is due to the fact that the following part of the error message above in the /opt/rsa/im/logs/im.log file, "waiting for a server that matches AnyServerSelector{} after 10000 ms",  is normally an indication of either an IP address issue or a hostname issue.



The hostname specified in the loopback address specified in the /etc/hosts file must match the HOSTNAME specified in the /etc/sysconfig/network file, as shown below.


[root@SACSSA ~]# cat /etc/hosts
# Created by NetWitness Installer on Wed Nov 18 23:54:59 UTC 2015
127.0.0.1 SACSSASERVER localhost localhost.localdomain localhost4 localhost4.localdomain4 puppetmaster.local
::1 SACSSA  localhost localhost.localdomain localhost6 localhost6.localdomain6

[root@SACSSA ~]# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=SACSSA
IPV6_DEFAULTGW=
Resolution
  1. Make the hostnames in both the /etc/hosts and the /etc/sysconfig/network files consistent.

    In this case, we can edit the /etc/hosts file.

    Edit the /etc/sysconfig/network file, so the contents appear as follows:




    127.0.0.1 SACSSA localhost localhost.localdomain localhost4 localhost4.localdomain4 puppetmaster.local
    ::1 SACSSA  localhost localhost.localdomain localhost6 localhost6.localdomain6

  2. Restart the following services using the commands listed below: puppetmaster, rsa-sms, nwappliance, rabbitmq, collectd, im

    # service puppetmaster restart
    # service rsa-sms restart
    # restart nwappliance
    # service rabbitmq-server restart
    # service collectd restart
    # service rsa-im restart

     
  3. Check the status of the IM service by running the following command:


# service rsa-im status

 

Note: There might be a requirement of rebooting the RSA Security Analytics server to reflect the changes.

Attachments

    Outcomes