Troubleshoot Log Collection Configuration

Document created by RSA Information Design and Development on Nov 22, 2016Last modified by RSA Information Design and Development on May 4, 2017
Version 10Show Document
  • View in full screen mode
  

This topic highlights possible problems that you may encounter when you configure Log Collection and suggested solutions to these problems.

Troubleshoot Remote Collector Configuration Issues

The log messages in the following table are sent to:

  • For Push configuration - C:\NetWitness\ng\logcollector\rabbitmq\log\logcollector@localhost.log on the Windows Legacy Collector server.
  • For Pull configuration -
     /var/log/rabbitmq/sa@localhost.log on Log Decoder host server on which the Local Collector is running.
               
Log
Messages
Log message with "certificate expired' as part of the message.  For example:
Any =ERROR REPORT==== 7-Apr-2015::11:02:07 ===
SSL: cipher: tls_connection.erl:375:Fatal error: certificate expired
=ERROR REPORT==== 7-Apr-2015::11:02:07 ===
Shovel failed to connect to Host: "10.31.204.240" Port: 5671 VirtualHost: <<"logcollection">>: error:{badmatch,{error,
{tls_alert,
                                                                                                                "certificate expired"}}}
Possible Causes

The high-level cause of a certificate expired log message is that the SA service host clock (date/time) and one or more hosts running the log collector service clocks are not synchronized. The following scenarios can cause this error. 

The SA service host and the Local Collector host clocks are synchronized, but the Windows Legacy Collector (WLC) clock is:

  • Cause 1 - Ahead (in the future) of the Local Collector host and the SA host.
  • Cause 2 - Behind (in the past) of the Local Collector host and the SA host.
    Having the WLC clock in the past works if the WLC is configured to Push events to the Local Collector.  However, if the Local Collector is configured to Pull events from the WLC, the WLC reads the Local Collector certificate as invalid because it has a date ahead (in the future) of the WLC. 
SolutionsFor either cause, make sure that the clocks for SA host and all Remote and Local Collector hosts are synchronized.
  • Cause 1 - For a Legacy Windows Remote Collector, you may need to do a "rekey" if the certificate was created at a time that is "in the future" as compared to the Local Collector and Security Analytics. To do this:
    1. Select the Log Collector service for the Legacy Windows Remote Collector from the Services view.
    2. Click View > Explore.
    3. Right-click /event-broker/ssl and click Properties.
      The Properties dialog is displayed.
    4. Regenerate the certificate with the rekey command in the Properties dialog.
    5. Exchange the new certificate with Security Analytics by removing and re-adding the windows Legacy Windows logcollector service in Security Analytics.
  • Cause 2 -Synchronize the WLC with the LC.

Troubleshoot Collection Issues

Please refer to the troubleshooting instructions for each collection protocol for issues related to those protocols.

You are here
Table of Contents > Log Collection Configuration Guide > Troubleshoot Log Collection Configuration

Attachments

    Outcomes