000034694 - System logs are not logging into /var/log/messages in RSA NetWitness

Document created by RSA Customer Support Employee on Jan 19, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000034694
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Core Appliance
RSA Version/Condition: 10.5.x, 10.6.,x
Platform: CentOS
O/S Version: 6
IssueSystem logs are not logging into /var/log/messages on SA Appliances.
CauseIt could be an issue if the /etc/rsyslog.conf file corrupted or crashed.
ResolutionTo resolve the issue, ssh to the appliance and run the following commands on the shell:
1.  Stop rsyslog service 
     service rsyslog stop
2. Reinstall rsyslog package
     yum reinstall rsyslog
3.  Start rsyslog service
     service rsyslog start
4.  Restart RSA Netwitness services
     restart nwdecoder/
Note: replace the keyword nwdecoder to the appropriate service running on your appliance
nwdecoder: Packet Decoder
nwlogdecoder: Log Decoder
nwconcentrator: Concentrator
nwlogcollector: Log Collector (whether it's installed locally with the logdecoder or remotely from the logdecoder)