This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Log Collector in DMZ getting error with SysLog

Go to solution
Anonymous
Not applicable

‎2016-08-07 08:14 PM


Hello All,

I have what I think is a Virtual Log Collector (It just says Log Collector in the config, but it's a VM and when I deployed it, it was called VLC).

I have it deployed in our DMZ to collect logs and SysLog for our DMZ systems.

After upgraded to 10.6.1 I'm getting the following error, that I'm not sure what it means. I still require SysLog collection in the DMZ, but this seems to suggest that it's not supported anymore on a log collector?

 

error.jpg

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
JohnSnider
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2016-08-08 01:19 AM

Jeremy,

     In 10.6, determination of the type of collector was supposed to be automatic (note there is no longer a checkbox in the communications configuration of a Log Collector for (remote).  In some cases, if certain packages are installed on a remote collector, it will think it's a local collector and pick the wrong type.  An engineering case has already been opened on this issue, but there is a workaround for now:

Go to "explore" view on the VLC in question.  Right click on the "logcollection" folder and select 'properties'.  From the Properties drop-down menu, select "type", in the Parameters box, enter:   op=set type=RC  then click the "Send" button.

To verify the setting in the Paramters box, enter:    op=get   and click the "Send" button.  it should come back as "RC" in the "Response Output" box.

 

restart the logcollector and the error should be gone.  you should have "syslog" collection back on the logcollector.

View solution in original post

3 REPLIES 3

Go to solution
JohnSnider
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2016-08-08 01:19 AM

Jeremy,

     In 10.6, determination of the type of collector was supposed to be automatic (note there is no longer a checkbox in the communications configuration of a Log Collector for (remote).  In some cases, if certain packages are installed on a remote collector, it will think it's a local collector and pick the wrong type.  An engineering case has already been opened on this issue, but there is a workaround for now:

Go to "explore" view on the VLC in question.  Right click on the "logcollection" folder and select 'properties'.  From the Properties drop-down menu, select "type", in the Parameters box, enter:   op=set type=RC  then click the "Send" button.

To verify the setting in the Paramters box, enter:    op=get   and click the "Send" button.  it should come back as "RC" in the "Response Output" box.

 

restart the logcollector and the error should be gone.  you should have "syslog" collection back on the logcollector.

Go to solution
KhaledGamal
Beginner
Beginner

‎2016-08-08 03:37 AM

Hi Jeremy,

 

Sometimes after upgrading, VLCs "RC" are changed to Local collectors "LC". You can fix this by either one of the below:-

 

1st: John's solution above:-

 

Go to "explore" view on the VLC in question.  Right click on the "logcollection" folder and select 'properties'.  From the Properties drop-down menu, select "type", in the Parameters box, enter:   op=set type=RC  then click the "Send" button.

 

2nd:- From SSH session of VLC.

- Open the file "/etc/netwitness/ng/logcollection/logCollectionType"

- Change the value from LC to RC.

 

 

After following either one of the solutions you will have to restart the nwlogcollector service.

 

When you do the above, you won't find the error you mentioned in the post. In rare cases, you might not find the syslog in the collection even after doing this and not getting the error. If this happens, a re-provision of the VLC will fix the issue.

 

Hope this helps!

 

Best regards

Khaled

0 Likes

Go to solution
Anonymous
Not applicable

‎2016-08-08 06:25 PM

Thanks John and Khaled,

Changing the type parameter in the explore view fixed the issue, and I got Syslog back.

Thanks.

© 2022 RSA Security LLC or its affiliates. All rights reserved.