000036329 - RSA NetWitness Logs & Network: Error "Response returned with status code: 404 Response: {"error":"Object Not - - Found","reason":"\"Not Found\"\n"}" while adding destination on virtual log collector in RSA Security Analytics

Document created by RSA Customer Support Employee on May 22, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036329
Applies ToRSA Product Set: NetWitness Logs & Network, Security Analytics
RSA Product/Service Type: Log Collector
RSA Version/Condition: 10.6.4 and above
IssueTried adding the destination in Virtual log collector through both config view and explore view. However, it failed with below error:-

failed to add destination for "localcollector": "HttpOps: 127.0.0.1:15671/api/nw/shovel/destinations/localcollector:GET:
Response returned with status code: 404 Response: {"error":"Object Not - - Found","reason":"\"Not Found\"\n"}"
CauseThe issue occurs after upgrading the system to 10.6.4 and above. Found that nw_admin-10.6.4.x.ez is missing under the directory #/opt/netwitness. Occurs due to the Symlink wasn't updated for the nw_admin plugin and was still pointing to older /opt/netwitness/nw_admin-10.6.x.x.ez
User-added image

User-added image
ResolutionPlease open the SSH to log collector and execute below commands:-
#rm /usr/lib/rabbitmq/lib/rabbitmq_server-3.5.7/plugins/nw_admin.ez 
#ln -s /usr/lib/rabbitmq/lib/rabbitmq_server-3.5.7/plugins/nw_admin.ez /opt/netwitness/nw_admin-10.6.4.2.ez 

Note: nw_admin-10.6.4.x.ez can be changed as per the version log collector is currently running on.
#service rabbitmq-server restart 
#restart nwlogcollector

This will remove the Symlink and create a new one from /usr/lib/rabbitmq/lib/rabbitmq_server-3.5.7/plugins/nw_admin.ez to /opt/netwitness/nw_admin-10.6.4.x.ez.

Attachments

    Outcomes