000034274 - Cannot Create New Event Sources after Upgrade to 10.6.1 in RSA Netwitness Log Collector

Document created by RSA Customer Support Employee on Nov 2, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000034274
Applies ToRSA Product Set: Netwitness for Logs
RSA Product/Service Type: Netwitness Log Collector
RSA Version/Condition: 10.6.1
Platform: Centos
O/S Version: EL6
When trying to configure new event sources from the Security Analytics UI, the below error appears:

Exception: caught exception while creating new collection configuration: Failed to validate new configuration

Type spec files are removed or damaged.This happens because during the upgrade of the NwLogCollector RPM, the post-install script that runs removes the type spec files delivered by the previous log collector version.
The issue has been permanently resolved in Security Analytics version 10.6.2.

As a work around, we can add the type spec files attached below. 

  • Extract the contents of the attachment. 
  • Stop the nwlogcollector service using the command: stop nwlogcollector
  • Open an SSH session to the Log Collector and navigate to the type spec file directory using the command: cd /etc/netwitness/ng/logcollection/content/collection
  • Using WinSCP (or any similar program), copy the extracted files onto the Log Collector under their corresponding log collection type. 
  • Start the nwlogcollector service using the command: start nwlogcollector