|Applies To||RSA Product Set: NetWitness|
RSA Product/Service Type: Log Collector, Log Decoder
RSA Version/Condition:10.4 and above
|Issue||Mcafee epo is integrated with VLC and can see that events are being published.However, cannot see it while navigating concentrator in UI|
VLC and LD does not shows any errors relevant to this event sources.
var/log/messages from VLC:-
Oct 24 04:27:04 PDMVIVLC NwLogCollector: [OdbcCollection] [info] [odbc:WrkUnit:25760] [publishEvents:481] [epolicyvirus4_5.ePO][processing] [ePO] [processing] Published 208 ODBC events: last tracking id: 2016-10-24 04:26:53.333
Oct 24 04:51:16 PDMVIVLC NwLogCollector: [OdbcCollection] [info] [odbc:WrkUnit:25761] [publishEvents:481] [epolicyvirus4_5.ePO][processing] [ePO] [processing] Published 142 ODBC events: last tracking id: 2016-10-24 04:51:01.350
var/log/messages from LD:-
- Verify if the logs are not going under any other category/Unknown while navigating concentrator.
- If the test connection is successful in event source configuration.
- Verify with customer if using any customized typespec file.
- Make sure concentrator is not having huge session behind count.
- Check if all the queues are good with no stuck rdqs
#rabbitmqctl list_queues -p logcollection consumers name messages
- Try integrating Mcafee epo with Local collector instead of Virtual log collector in order to test if you can see the logs while navigating concentrator.
- Verify if the rdqs are getting generated at VLC or not via stopping the rabbitmq-server on LD so that RDQs should be piled in VLC /ODBC queue.
Steps followed to resolve this issue:-
- Collect the rdqs which are piled up at VLC in msg_store_persistent directory.
- Extract the rdq using tool NwEventReader as mentioned in below article:-
- While analyzing the rdq , see that the lc.srcid is not showing the actual event source IP.
- Considering this fact "If the addressColumn entry is specified in the typespec definition, the value under this column gets populated in the collection meta-data with the lc.srcid tag. If the typespec definition indicates that the field is "static", then the specified static value is used." from the functional spec guide.
a. SSH to VLC
b. Here is the location of the typespec file
c. Edit this file and search for "From <addressColumn>AnalyzerIPV4</addressColumn>"
d. Remove the above parameter from the typespec file
e. Restart odbc collection and log collector service.
- Observe the changes for sometime and you should be able to see all the logs related to Mcafee event source.