This topic highlights possible problems that you may encounter with Windows Legacy Collection (LWC) and suggested solutions to these problems.
Troubleshoot Windows Legacy and NetApp Collection Issues
In general, you receive more robust log messages by disabling SSL.
Protocol Restart Problems
|You restart the Legacy Windows collection protocol, but Security Analytics is not receiving events.||The logcollector service is stopped.||Restart the logcollector service. |
If you see any of the following messages in the MessageBroker.log, you may have issues.
|Log Messages||Any message that contains "rabbitmq"|
|Possible Cause||RabbitMQ service may not be running.|
Port 5671 may not be opened.
|Solutions||Make sure that the RabbitMQ service is running.|
Make sure that port 5671 is open.
|Log Messages||Error: Adding logcollector user account.|
Error: Adding administrator tag to logcollector account.
Error: Adding Adding logcollection vhost.
Error: Setting permissions to logcollector account in all vhosts.
|Possible Cause||rabbitmq-server was not running when installer tried to create users and vhosts.|
|Solutions||Make sure that the RabbitMQ service is running and run below commands manually.|
rabbitmqctl -q add_user logcollector netwitness
rabbitmqctl -q set_user_tags logcollector administrator
rabbitmqctl -q add_vhost logcollection
rabbitmqctl -q set_permissions -p / logcollector ".*" ".*" ".*"
rabbitmqctl -q set_permissions -p logcollection logcollector ".*" ".*" ".*"
Windows Legacy Federation Script Issues
If you see any of the following messages in the federation script log, you may have issues.
Federation script started, but the LWC service went down.
|Security Analytics log shows connection failure exceptions with Windows Legacy Collector.|| |
This issue is fixed automatically after restarting the Windows Legacy service.
|LWC is running, but RabbitMQ service is down or restarting.|| |
Federation log file at Windows Legacy side displays an error message about RabbitMQ service being down.
The log file to look at is:
The following error message is logged in case RabbitMQ is not running:
"Unable to connect to node logcollector@localhost: nodedown"
The following diagnostics messages are displayed:attempted to contact: [logcollector@localhost]
Run the federation.bat script manually at LWC.
Note: Make sure the log file does not show any errors while the script is being executed.
RabbitMQ service is down on Security Analytics side.
|Security Analytics User Interface pages do not work.|| |
Restart RabbitMQ service.
No Health & Wellness stats are displayed in Security Analytics User Interface.
Puppet agent is not running, or is taking a while to publish the exchanged certificates.
Restart Puppet agent, or wait a few several minutes to finish exchanging the certificates.
Customer receives a Health and Wellness notification, or the following Health and Wellness Alarm is displayed:
| || |