This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Log decoder+collector setup

RSAAdmin
Beginner
Beginner

‎2014-03-14 03:47 AM

Hello guys,

I have some brutal questions on log hybrid+collector setup

It goes like this:

1) When decoder is in non ssl mode the service is available (device system view), but I cannot add it as an event destination in virtual log collector.

2) When decoder in ssl mode it's service is not available (device system view), but I can add it as a source in destination, the logs are being sent unsuccessfully:

Failed to connect to endpoint [x.x.x.x]:6514.  Reason: No route to host

So what did I forgot to do? If it's a network problem why is decoder service unavailable in ssl mode?

Also some documents claim that log collector resides on decoder. Is this true to hybrid? Because I do not see it in installed rpms.

0 Likes
14 REPLIES 14

Anonymous
Not applicable

‎2014-03-14 03:54 AM

HI

 

Yes Log collector service is running in decoder.I am also having the Hybrid box and its working correctlyy..Log collector service runs on 50101 and decoder service runs on 50102 .if you do netstat -an | grep 50101 service you will se that.


0 Likes

RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-03-14 04:07 AM

Hi!

Well I thought that it should be local. But I do not have the rpm installed:

[root@salhybrid ~]# rpm -qa | grep nw

nwsupport-script-1.1-8.noarch

nwlogdecoder-10.3.2.2436-5.el6.x86_64

nwwarehouseconnector-10.3.2.2490-5.el6.x86_64

nwconcentrator-10.3.2.2436-5.el6.x86_64

nwdecodercontent-10.3.2.2436-5.el6.x86_64

nwconsole-10.3.2.2436-5.el6.x86_64

nwappliance-10.3.2.2436-5.el6.x86_64

 

And so nothing listens on the 50101:

 

[root@salhybrid ~]#netstat -an | grep 50102

tcp        0      0 0.0.0.0:50102               0.0.0.0:*                   LISTEN

...

[root@salhybrid ~]# netstat -an | grep 50101

[root@salhybrid ~]#

 

Did you have collector preinstalled? I see the collector rmp in list of live updates. Maybe my hybrid image was flawed and didn't have it installed. Do you think installing the collector rpm manually will do?

0 Likes

Anonymous
Not applicable
In response to RSAAdmin

‎2014-03-14 04:18 AM

Well .your collector service is not running then you may need to install it ..In mine case we got preconfigured.

0 Likes

RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-03-14 05:17 AM

Can you attach your "rpm -qa" list for me to see which netwitness rpms didn't get to our box?

When ordering the box did you specify that you want a log collector service?

0 Likes

Anonymous
Not applicable
In response to RSAAdmin

‎2014-03-14 05:27 AM

nwlogcollector-10.2.5.2-1.el6.x86_64

nwlogcollectorcontent-10.2.5.2-1.noarch

 

i dindt see this packages has been installed in your hybrid box...installed it and test..in case of any query let me know.

0 Likes

RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-03-14 06:11 AM

Well, I installed log collector content from nw repo:

Installed:

  nwlogcollectorcontent.noarch 0:10.3.0.12764-5

Complete!

 

But the logcollector install threw tons of dependencies problems:

[root@salhybrid rpm]# yum install nwlogcollector

...

Error: Package: nwlogcollector-10.3.2.13408-5.el6.x86_64 (nwupdates)

           Requires: libstdc++.so.6(GLIBCXX_3.4.9)

Error: Package: nwlogcollector-10.3.2.13408-5.el6.x86_64 (nwupdates)

           Requires: rabbitmq-server = 3.0.1

Error: Package: nwlogcollector-10.3.2.13408-5.el6.x86_64 (nwupdates)

           Requires: libgcc_s.so.1(GLIBC_2.0)

...

So I'm guessing I should turn on the default repos to solve that, but it could update the files which are already being used by other services and make them fail. Tough choice

 

Btw there was also nwlogcollectorperl-10.2.5.0-1.noarch.rpm in the sa repo.

0 Likes

Anonymous
Not applicable
In response to RSAAdmin

‎2014-03-14 06:16 AM

W ell I dont have perl rpm installed. these are the two files are enough to run the collector ...

0 Likes

Anonymous
Not applicable

‎2014-03-14 09:29 AM

Hi, I have to do this on a hybrid box and the final option was to replace the box :S

The nwlogcollector-10.3.2.13408-5.el6.x86_64 requires glibc-2.12x and the one in the original box is 1.0.7 i think

 

Just ask the support for the logCollector install script to install it.

0 Likes

RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-03-14 09:50 AM

Hi!

Wow! That is definitely not an option here. Why not to do a reimage?

I tried to update via Centos base repo but it threw me access denied error. Support told me I could update via SA10.3 iso, but still waiting for them to provide it. Didn't tell me 'bout the script either. (might anyone have the iso or the script?)

I have glibc-2.12 btw, nevertheless collector requires libgcc_s.so.1(GLIBC_2.0) and lots of other stuff

 

Edit: Checked on my 10.2 SA VM and the collector is on decoder. Must be a flawed image or maybe hybrid doesn't  go with collector by default. Will check with support.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.