000034877 - What to consider on RSA NetWitness when the admin password for the RSA core appliance or service has been changed.

Document created by RSA Customer Support Employee on Mar 16, 2017Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000034877
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Core Appliance
RSA Version/Condition: 10.4.x, 10.5.x, 10.6.x
IssueThe admin password has been configured but, these logs are still seen in /var/log/messages:
[Login] [audit] Failed login attempt for user 'admin' from, invalid password
[Login] [audit] Failed login attempt for user 'admin' from [EventStreamAnalysisIP]:49754, invalid password

[EventStreamAnalysisIP] = The IP of the ESA device.
CauseChanging the admin password can affect the connections of other devices, data sources, and services connected to it.
This can also be a symptom of dashboards that fail to properly load because the connection is interrupted or invalid.
ResolutionNote: If you change the username or password of an admin user that is connected with a data source, you must remove and re-add the Data Source(s).
 It is a good practice when changing the admin password to: 
  • Check the log, test the connections, and data sources after changing the admin password.
  • Change the admin password of each service from the default.
  • Create a different password for the admin account on each service.
Please consider the following reference before changing an admin password on Netwitness:
Reference: https://community.rsa.com/docs/DOC-63642