Windows Legacy Collection: Troubleshoot

Document created by RSA Information Design and Development on Jun 25, 2017Last modified by RSA Information Design and Development on Jul 28, 2017
Version 2Show Document
  • View in full screen mode
  

This topic highlights possible problems that you may encounter with Windows Legacy Collection (LWC) and suggested solutions to these problems.

Troubleshoot Windows Legacy and NetApp Collection Issues

In general, you receive more robust log messages by disabling SSL.

Protocol Restart Problems

                  
ProblemPossible CausesSolutions
You restart the Legacy Windows collection protocol, but Security Analytics is not receiving events.The logcollector service is stopped.Restart the logcollector service.
  1. Log on to the Windows Legacy Remote Collector.
  2. Go to Start > Administrative Tools > Task Scheduler and click on Task Scheduler Library.
  3. In the right panel, look for the restartnwlogcollector task and make sure that it is running.
  4. If this is not the case, right-click restartnwlogcollector
    and select Run.

Installation Problems

If you see any of the following messages in the MessageBroker.log, you may have issues. 

                           
Log MessagesAny message that contains "rabbitmq"
Possible CauseRabbitMQ service may not be running.

Port 5671 may not be opened.
SolutionsMake sure that the RabbitMQ service is running.
Make sure that port 5671 is open.
Log MessagesError: Adding logcollector user account.
Error: Adding administrator tag to logcollector account.
Error: Adding Adding logcollection vhost.
Error: Setting permissions to logcollector account in all vhosts.
Possible Causerabbitmq-server was not running when installer tried to create users and vhosts.
SolutionsMake sure that the RabbitMQ service is running and run below commands manually.
rabbitmqctl -q add_user logcollector netwitness
rabbitmqctl -q set_user_tags logcollector administrator

rabbitmqctl -q add_vhost logcollection
rabbitmqctl -q set_permissions -p / logcollector ".*" ".*" ".*"
rabbitmqctl -q set_permissions -p logcollection logcollector ".*" ".*" ".*"

Windows Legacy Federation Script Issues

If you see any of the following messages in the federation script log, you may have issues. 

                                 
ProblemPossible SymptomsSolutions

Federation script started, but the LWC service went down.

Security Analytics log shows connection failure exceptions with Windows Legacy Collector.

This issue is fixed automatically after restarting the Windows Legacy service.

 

LWC is running, but RabbitMQ service is down or restarting. 

Federation log file at Windows Legacy side displays an error message about RabbitMQ service being down.

The log file to look at is:
C:\NetWitness\ng\logcollector

The following error message is logged in case RabbitMQ is not running:

"Unable to connect to node logcollector@localhost: nodedown"

The following diagnostics messages are displayed:

attempted to contact: [logcollector@localhost]

logcollector@localhost:
  * connected to epmd (port 4369) on localhost

  * epmd reports: node 'logcollector' not running at all other nodes on localhost: ['rabbitmqctl-4084']
  * suggestion: start the node

Run the federation.bat script manually at LWC.
To run the federate.bat script manually, perform the following steps:

  1. Go to folder C:\Program Files\NwLogCollector where the Windows Legacy instance is installed.
  2. Locate the file federate.bat in this folder. Select the file and right click.
  3. Select Run as Administrator.
  4. To monitor the log file, navigate to 
    C:\NetWitness\ng\logcollector\federate.log while the federate.bat script is being executed.

Note: Make sure the log file does not show any errors while the script is being executed.

RabbitMQ service is down on Security Analytics side.

Security Analytics User Interface pages do not work.

Restart RabbitMQ service.

No Health & Wellness stats are displayed in Security Analytics User Interface.

Puppet agent is not running, or is taking a while to publish the exchanged certificates.

Restart Puppet agent, or wait a few several minutes to finish exchanging the certificates. 

 

Customer receives a Health and Wellness notification, or the following Health and Wellness Alarm is displayed:
"Communication failure between Master Security Analytics Host and a Remote Host" with LWC Host as the Remote IP.

  1. Federate.bat script failed to run successfully.
  2. Puppet agent has not run after the federate.bat script ran successfully.

 

  1. If the federate.bat script did not run correctly, run it manually as described previously.
  2. If the federate.bat script ran correctly and the puppet agent has not performed its scheduled run, run the puppet agent manually using the following command on your Security Analytics server:
    puppet agent -t
You are here
Table of Contents > Windows Legacy and NetApp Collection Configuration Guide > Troubleshoot Windows Legacy and NetApp Collection

Attachments

    Outcomes