000036318 - Log Collector fails to collect any AWS CloudTrail logs in RSA Security Analytics

Document created by RSA Customer Support Employee on May 4, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036318
Applies ToRSA Product Set: NetWitness Logs & Network, Security Analytics
RSA Product/Service Type: Log Collector
RSA Version/Condition: 10.6.x
Platform: CentOS 6
IssueAfter successfully adding the AWS CloudTrail event source as per the configuration guide, it is noticed that the log collector does not collect any logs.

The failure message below is logged in the /var/log/messages file. (The failure is only logged if the event source is enabled.)

Apr 10 06:19:24 AWSCOLLECTOR NwLogCollector[21043]: [CmdScriptCollection] [failure] [cmdscript:WrkUnit[1]:21057] [onLog:764] [cloudtrail.awscloudtrail] [processing] [WorkUnit] [processing] Error (1) from chcon -R -u system_u -r object_r -t sandbox_net_client_tmpfs_t -l s0 /var/netwitness/logcollector/scriptUpload/cloudtrail

Running the command manually returns an error on 'chcon' as shown below.

[root@AWSCOLLECTOR ~]# chcon -R -u system_u -r object_r -t sandbox_net_client_tmpfs_t -l s0 /var/netwitness/logcollector/scriptUpload/cloudtrail
chcon: can't apply partial context to unlabeled file `awscloudtrail'

CauseThe chcon error can occur when the SELinux setting is set to disabled.
Run getenforce to confirm the current SELinux mode.
ResolutionChange the selinux mode to enforcing which is the default setting by modifying /etc/selinux/config.




Reboot the log collector for the changes to take effect and confirm the log collection from the AWS event source.