000034802 - Not able to see Mcafee ePolicy logs in Log decoder even if VLC  shows "events processed" in RSA Security Analytics

Document created by RSA Customer Support Employee on Mar 16, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000034802
Applies ToRSA Product Set: NetWitness
RSA Product/Service Type: Log Collector, Log Decoder
RSA Version/Condition:10.4 and above 
Platform: CentOS
IssueMcafee epo is integrated with VLC and can see that events are being published.However, cannot see it while navigating concentrator in UI
VLC and LD does not shows any errors relevant to this event sources. 
var/log/messages from VLC:-
Oct 24 04:27:04 PDMVIVLC NwLogCollector[25732]: [OdbcCollection] [info] [odbc:WrkUnit[1]:25760] [publishEvents:481] [epolicyvirus4_5.ePO][processing] [ePO] [processing] Published 208 ODBC events: last tracking id: 2016-10-24 04:26:53.333

Oct 24 04:51:16 PDMVIVLC NwLogCollector[25732]: [OdbcCollection] [info] [odbc:WrkUnit[2]:25761] [publishEvents:481] [epolicyvirus4_5.ePO][processing] [ePO] [processing] Published 142 ODBC events: last tracking id: 2016-10-24 04:51:01.350
Oct 24 05:03:22 PDMVIVLC NwLogCollector[25732]: [OdbcCollection] [info] [odbc:WrkGrp[1]:25759] [createWorkUnit:139] [epolicyvirus4_5.ePO] [idle] Creating work unit for ODBC Collection
Oct 24 05:12:28 PDMVIVLC NwLogCollector[25732]: [OdbcCollection] [info] [odbc:WrkGrp[1]:25759] [createWorkUnit:139] [epolicyvirus4_5.ePO] [idle] Creating work unit for ODBC Collection


var/log/messages from LD:-
Oct 24 06:53:18 PDMGSDGZ1 NwLogCollector[31268]: [LogdecoderProcessor] [info] [queue.odbc] [processing] [Receiver WorkUnit] [processing] LogDecoderProcessorWorkUnit completed. Published 381 events in 3 messages (average 6487 bytes/message) from queue LogDecoder.logdecoder.odbc at location 127.0.0.1:5671. Processing was aborted: N0
The typesec file needed some modification (removal of address column)

TasksPre-requisites:-
- Verify if the logs are not going under any other category/Unknown while navigating concentrator. 
- If the test connection is successful in event source configuration. 
- Verify with customer if using any customized typespec file. 
- Make sure concentrator is not having huge session behind count. 
- Check if all the queues are good with no stuck rdqs 
#rabbitmqctl list_queues -p logcollection consumers name messages
- Try integrating Mcafee epo with Local collector instead of Virtual log collector in order to test if you can see the logs while navigating concentrator. 
- Verify if the rdqs are getting generated at VLC or not via stopping the rabbitmq-server on LD so that RDQs should be piled in VLC /ODBC queue. 
#/var/lib/rabbitmq/mnesia/sa@localhost/msg_store_persistent
Resolution
Steps followed to resolve this issue:- 
- Collect the rdqs which are piled up at VLC in msg_store_persistent directory. 
- Extract the rdq using tool NwEventReader as mentioned in below article:-
https://community.rsa.com/docs/DOC-67158
- While analyzing the rdq , see that the lc.srcid is not showing the actual event source IP. 
- Considering this fact "If the addressColumn entry is specified in the typespec definition, the value under this column gets populated in the collection meta-data with the lc.srcid tag. If the typespec definition indicates that the field is "static", then the specified static value is used." from the functional spec guide. 
a. SSH to VLC
b. Here is the location of the typespec file
#/etc/netwitness/ng/logcollection/content/collection/odbc/epolicyvirus4_5.xml
c. Edit this file and search for "From <addressColumn>AnalyzerIPV4</addressColumn>" 
d. Remove the above parameter from the typespec file
e. Restart odbc collection and log collector service. 
- Observe the changes for sometime and you should be able to see all the logs related to Mcafee event source. 

 

Attachments

    Outcomes