000034225 - RSA Security Analytics IM service is immediately stopping after being started

Document created by RSA Customer Support Employee on Oct 26, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000034225
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type:
Incident Management
RSA Version/Condition: 10.4.x, 10.5.x, 10.6.x
Platform: CentOS
O/S Version: 6

 
Issue
The RSA Security Analytics IM service is immediately stopping after being started.
   When using the 'Test Connection' button in the 'Add Device' or 'Edit Device' dialog box, the following error is shown:  Test Connection Failed
  

The IM service is found not to be running using the following command:


  

  

[root@SACSSA ~]# service rsa-im status
   RSA NetWitness IM :: Server is not running.


  

  

 


  

Attempting to start the service is successful:


  

  

[root@SACSSA ~]# service rsa-im start
   Starting RSA NetWitness IM :: Server...
   [root@SACSSA ~]# service rsa-im status
   RSA NetWitness IM :: Server is running (3718).


  

  


   However after 1-2 sec, the following 2 commands indicate that the service is no longer listening to required as the service has stopped again.


  
[root@SACSSA ~]# netstat -anp | grep :50040
   [root@SACSSA ~]# service rsa-im status
   RSA NetWitness IM :: Server is not running

  
   The following message appears in the /opt/rsa/im/logs/im.log file:
  
\[pool-5-thread-109] ERROR com.rsa.smc.im.integration.IncidentMessageBusImporter - Error occurred in the onMessage methodTimed out 
while waiting for a server that matches AnyServerSelector{} after 10000 ms ; nested exception is com.mongodb.MongoTimeoutException:
Timed out while waiting for a server that matches AnyServerSelector{} after 10000 ms

    
  

 


  
 
CauseThe issue is due to the fact that "waiting for a server that matches AnyServerSelector{} after 10000 ms"  is normally an indication of either IP address issue or hostname.
The hostname specified in the loopback address specified in the /etc/hosts file must match the HOSTNAME specified in the /etc/sysconfig/network file, as shown below.
[root@SACSSA ~]# cat /etc/hosts
# Created by NetWitness Installer on Wed Nov 18 23:54:59 UTC 2015
127.0.0.1 SACSSASERVER localhost localhost.localdomain localhost4 localhost4.localdomain4 puppetmaster.local
::1 SACSSA  localhost localhost.localdomain localhost6 localhost6.localdomain6
[root@SACSSA ~]# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=SACSSA
IPV6_DEFAULTGW=
Resolution

1. Make the hostnames in the /etc/hosts and /etc/sysconfig/network files consistent.



In this case we can edit /etc/hosts
Edit /etc/sysconfig/network so contents appear as:



127.0.0.1 SACSSA localhost localhost.localdomain localhost4 localhost4.localdomain4 puppetmaster.local
::1 SACSSA  localhost localhost.localdomain localhost6 localhost6.localdomain6




2. Restarted following services:-
correct the same and restarted the puppetmaster , rsa-sms , nwappliance , rabbitmq,collected
         service puppetmaster restart
         service rsa-sms restart
         restart nwappliance
         service rsa-im restart
         service rsa-im status
Note: There might be a requirement of rebooting SA server to reflect changes.

Attachments

    Outcomes