Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

ESM: Duplicate Log Messages

Document created by RSA Information Design and Development Employee on Sep 6, 2017Last modified by RSA Information Design and Development Employee on Sep 8, 2020
Version 20Show Document
  • View in full screen mode

It is possible that you are collecting messages from the same event source on two or more Log Collectors. This topic describes the problem and ways to troubleshoot the issue.


If the ESM aggregator detects the same events for the same event source on multiple Log Collectors, you receive a warning similar to the following:

2015-03-17 15:25:29,221 [pool-1-thread-6] WARN - had a previous event only 0 seconds ago; likely because it exists on multiple log collectors

This warning message means the event source is being collected by multiple hosts. You can see the list of hosts in the Log Collector column in the Manage tab in the Administration > Event Sources view.

Clean Up Duplicate Messages

  1. Stop collectd on NetWitness Platform and Log Decoders:

    service collectd stop

  2. Remove the ESM Aggregator persisted file on NetWitness Platform:

    rm /var/lib/netwitness/collectd/ESMAggregator

  3. Reset the Log Decoder.
    1. Navigate to the Log Decoder REST, at http://<LD_IP_Address>:50102.
    2. Click decoder(*) to view the properties for the decoder.
    3. In the Properties drop-down menu, select reset, then click Send.
  4. In the Event Sources panel from the Event Sources Manage tab, select all event sources and then click - to remove them.
  5. Start the collectd service:

    service collectd start

You are here
Table of Contents > Troubleshooting/Appendix > Duplicate Log Messages