ESM: Duplicate Log Messages

Document created by RSA Information Design and Development on Nov 21, 2016Last modified by RSA Information Design and Development on Feb 27, 2017
Version 2Show Document
  • View in full screen mode
  

It is possible that you are collecting messages from the same event source on two or more Log Collectors. This topic describes the problem and ways to troubleshoot the issue.

Details

If the ESM aggregator detects the same events for the same event source on multiple Log Collectors, you receive a warning similar to the following:

2015-03-17 15:25:29,221 [pool-1-thread-6] WARN  com.rsa.smc.esm.groups.events.listeners.EsmStatEventListener -
192.0.2.21-apache had a previous event only 0 seconds ago; likely because it exists on multiple log collectors

This warning message means the 192.0.2.22-apache event source is being collected by multiple hosts. You can see the list of hosts in the Log Collector column in the Manage tab in the Administration > Event Sources view.

Clean Up Duplicate Messages

  1. Stop collectd on Security Analytics and Log Decoders:

    Service collectd stop

  2. Remove the ESM Aggregator persisted file on Security Analytics:

    rm /var/lib/netwitness/collectd/ESMAggregator

  3. Reset the Log Decoder.
    1. Navigate to the Log Decoder REST, at http://<LD_IP_Address>:50102.
    2. Click decoder(*) to view the properties for the decoder.
    3. In the Properties drop-down menu, select reset, then click Send.
  4. In the Event Sources panel from the Event Sources Manage tab, select all event sources and then click - to remove them.
You are here
Table of Contents > Troubleshooting > Duplicate Log Messages

Attachments

    Outcomes