000036945 - DNS no longer resolves short name for event sources after RSA NetWitness Logs and Network 11.2 upgrade causing logon failure to these sources

Document created by RSA Customer Support Employee on Nov 12, 2018Last modified by RSA Customer Support Employee on Nov 16, 2018
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000036945
Applies ToRSA Product Set: NetWitness Logs and Network
RSA Product/Service Type: NetWitness Logs and Network
RSA Version/Condition: 11.2
IssueActive Directory failing to connect to event sources after 11.2 upgrade.

Once the 11.2 upgrade has been completed, it moved the contents of the /etc/resolv.conf to the /etc/netwitness/platform/ and the UI server (Node-Zero) started acting as a DNS proxy server. All other devices have the /etc/resolv.conf that now points to Node-Zero as the DNS Server.

CauseIn version 11.2, we changed the architecture to create Node-Zero as a DNS Proxy server. Currently, the DNS proxy does not resolve short names.
ResolutionIn order to resolve this issue, replace the /etc/resolv.conf with the correct information that can be found on node-zero in the /etc/netwitness/platform

1. mv /etc/resolv.conf /etc/resolv.conf_old
2. cp /etc/netwitness/platform/resolv.conf.dnsmasq /etc/resolv.conf
3. Use the same /etc.resolv.conf for the other devices.

Note: Log collectors will need to have the collection services restarted if using short name lookup for WinRM.

WorkaroundMake sure that the /etc/resolv.conf is the same across all systems, the correct one is located on UI Server (Node-Zero) in the /etc/,/platform. Use this as the example to place the same information for all system.