I have made an alert and I wanted to push it to the decoder, but I keep getting the error : Alert creation failed at decoder '-RSA-HP - Decoder'. Resolve the issue and try again.
anyone can help??
It was a problem with the privilege as it worked when I logged in from an admin account
What version of Security Analytics are you running? And do you have the decoder set as a source in the reporting engines configuration?
my version is 10.4.0.2. and yes it is added a source in the reporting engine configuration
If you look in the logs for the decoder and reporting engine at the time of the error it should show a little more information as to why the alert creation failed. If you could provide some of those logs I might be able to assist. You may have to attempt to push the alert again to make retrieving the logs easier. You can either use the UI to pull the logs or you can go to the appliances themselves and pull them.
In the UI just go to logs area for the decoder and reporting engine. If you want to pull them from the appliance you can get the /var/log/messages from the decoder and the /home/rsasoc/rsa/soc/reporting-engine/log/reporting-engine.log on the SA server.
Did you get you issue resolved? I am have the exact same issue.
It could be due to any of the below reasons, having RE logs will help to nail down the issue.
1. Decoder could be down
2. Some of the meta used in the rule might not be available in the decoder
3. Rule that is being pushed has syntax errors
Retrieving data ...