Log Collection: Troubleshoot

Document created by RSA Information Design and Development on Sep 11, 2017Last modified by RSA Information Design and Development on Jul 9, 2019
Version 14Show Document
  • Comment0
  • View in full screen mode
 

This topic describes the format and content of Log Collection Troubleshooting. NetWitness Platform informs you of Log Collector problems or potential problems in the following two ways.

  • Log files.
  • Health and Wellness Monitoring views.

Junk Syslog Messages

The remote log collector has been made looser in regards to how it handles syslog messages. This was done to reduce the number of dropped messages due to missing parts of the header, or for other minor formatting errors. However, this might also allow syslog event messages that contain junk to get through the parser. If you see such messages in the system, you can add a syslog collection filter to remove events that are sending these messages.

Log Files

If you have an issue with a particular event source collection protocol, you can review debug logs to investigate this issue. Each event source has a Debug parameter that you can enable (set parameter to On or Verbose) to capture these logs.

Caution:  Only enable debugging if you have a problem with this event source and you need to investigate this problem. If you have Debug enabled all the time it will adversely affect the performance of the Log Collector.

Health and Wellness Monitoring

Health and Wellness monitoring makes you aware of potential hardware and software problems in a timely manner so that you can avoid to outages. RSA recommends that you monitor the Log Collector statistical fields to make sure that the service is operating efficiently and is not at or near the maximum values you have configured. You can monitor the following statistics (Stats) described in the Admin > Health & Wellness view.

Sample Troubleshooting Format

RSA NetWitness Platform returns the following types of error messages in the log files for.

                 

Log Messages

timestamp failure (LogCollection) Message-Broker Statistics:...

timestamp failure (AMQPClientBaseLogCollection):...
timestamp failure (MessageBrokerLogReceiver):...

Possible Cause

The Log Collector cannot reach the Message Broker because the Message Broker:

  • has stopped running

  • has erroneous connection settings

Solutions
  1. <use the="the" systemctl="systemctl" command="command" on="on" console="console" to="to" check="check" status="status" of="of" message="message" broker="broker" shell="shell" console.="console.">returns the following if the message broker is not running:</use>

            prompt$ systemctl status rabbitmq-server

            rabbitmq start/running, process 10916

  1. Start the RabbitMQ Message Broker on event-broker node in the Explore view:

    Example shows starting the RabbitMQ Message Broker on the event broker node in the Explore view.

Log Collector DNS

Make sure that the log collector is configured as a DNS client for the corporate DNS server. Otherwise, the Log Collector will not know how to find the Kerberos Realm.

Check if DNS is configured, if not perform the following steps:

  1. Add the DNS server addresses (“nameserver x.x.x.x” entries) in /etc/netwitness/platform/resolv.dnsmasq.

  2. Restart the dnsmasq service using the following command:

    systemctl restart dnsmasq

  3. Verify the capability to reach external systems via a hostname.

Previous Topic:Settings Tab
You are here
Table of Contents > Log Collection: Troubleshoot

Attachments

    Outcomes

      Visibility: RSA NetWitness Platform Online Documentation1187 Views
      Last modified on Jul 9, 2019 2:12 PM
      Tags:
      Ratings: