This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Problems while adding a Remote Log Collector

ShishirKumar2
Beginner
Beginner

‎2016-06-09 08:39 AM

Hi All,

 

I am facing a serious issue while adding a remote collector.

 

While deployment I had given it a wrong hostname. So I ran the netconfig.sh --force again to give it the name I needed. Now, whenever Security Analytics discovers this, it is via the old name and it doesn't get added/enabled.

 

I have tried a lot of things like readding by removing node_id, clearing certificates. But, everytime it is being discovered by that old hostname and never gets added/enabled.

 

Is there anyone who can help me with this?

0 Likes
9 REPLIES 9

DavidWaugh1
Employee
Employee

‎2016-06-10 05:15 AM

Hi it sounds like you need to reprovision the applaince.

 

The hostname comes from the file

 

/etc/puppet/csr_attributes.yaml

 

so it sounds like this might be incorrect.

The steps to reprovision are fairly simple, but it is something that I'd open a support case to do.

0 Likes

SoumyajitDhara
Beginner
Beginner

‎2016-06-12 03:03 AM

I have seen the same issue if it is Remote Log Collector. Better and time saving solution is recreate a new VM and deploy.

0 Likes

ShishirKumar2
Beginner
Beginner

‎2016-06-14 05:21 AM

Hi,

 

I redeployed using a different hostname and a new ip. Now I am still not able to enable the remote log collector. Can someone please help on this?

0 Likes

DeepanshuSood1
Beginner
Beginner

‎2016-06-14 05:40 AM

I had faced this issue, check the date of your VLC and match with SA server.

It should be same.

 

I mean the time.

0 Likes

ShishirKumar2
Beginner
Beginner
In response to DeepanshuSood1

‎2016-06-14 08:58 AM

Hi ,

 

There is only a minute difference between both. Is that a problem? How do I sync it?

 

Please help. This is really becoming a pain.

0 Likes

ShishirKumar2
Beginner
Beginner
In response to DavidWaugh1

‎2016-06-14 09:00 AM

Hi David,

 

Please help on this.

 

I am trying to add a Remote collector for the last one week and this is my first stint with RSA. I am surprised to find very  less documents and help for the issue. Please help.

0 Likes

DavidWaugh1
Employee
Employee
In response to ShishirKumar2

‎2016-06-14 09:51 AM

If you have a time critical support case, then please open a normal support case with RSA. The community is not the best place for time critical urgent issues.

0 Likes

JohnSnider
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2016-06-14 11:09 PM

It all depends on which one is ahead of the other.  Have you configured an NTP server on the SA server yet?  If not, under Administration -> System > NTP Settings, by default it will be set to use the CentOS pool ntp servers, but if NTP is not allowed from the SA server to the internet, then they cannot sync.  You can usually point it at an Active Directory server and use that to sync time.

 

To test ntp time server access on the SA server, do the following:

     service ntpd stop

     ntpdate <IP or FQDN of NTP Server>

If it works you'll get something like this back:

     ntpdate[29683]: adjust time server <IP of NTP Server> offset -0.003140 sec

Restart ntpd:

     service ntpd start

 

The SA server acts as a time server for all the other devices (this will be configured during enablement), to sync the VLC before that, do the following:

     service ntpd stop

     ntpdate <IP address of SA server> (should have similar output to above)

     service ntpd start

 

Now try to re-provision the VLC

Remove the VLC from the Hosts page with "Remove and Repurpose Appliance" option
Verify the hostname & IP address on the VLC
      cat /etc/hosts (note the IP and hostname of the VLC)
      cat /etc/sysconfig/network (compare hostname to previous)
      cat /etc/puppet/csr_attributes.yaml (compare hostname & IP address)
      cat /etc/sysconfig/network-scripts/ifcfg-eth0 (or em1) (verify network information)
      hostname (compare hostname)
If any of these don't match, edit them to match properly.


Check the Node ID's on the VLC:
      /etc/puppet/scripts/node_id.py (copy the returned ID to notepad)
      cat /var/lib/puppet/node_id (compare to previous output, they should match)
      cat /etc/puppet/puppet.conf | grep certname (should match the other two ID's)
On SA server:
      Clear any old cert requests:
           /var/lib/puppet/ssl/certificate_requests/*
      Check for old node in cert list:
            puppet cert list --all | grep <old agent NODE_ID>
      If it exists:
            puppet cert clean <old agent NODE_ID>
            /etc/scripts/puppet/delNode.py <old agent NODE_ID>
From VLC, run the following commands.
      service puppet stop
      rm -rf /var/lib/puppet/ssl
      puppet agent -t --waitforcert 30  && tail -f /var/log/messages | grep agent
When "did not receive certificate" appears in log
In SA UI

     Click on "Discover" button on the Hosts page
      Enable Devices screen should appear listing the VLC

     Select the VLC and click "enable"

You will see alot of trafic in the log on the VLC ass puppet provisions the host and finishes enablement.

If the "enabling" indicator on the hosts page goes red, but there is still activity in the log on the VLC, wait unitl puppet is finished, before clicking the enable button & attempting again.

 

Once provisioning is complete

On VLC:
      service puppet start

SoumyajitDhara
Beginner
Beginner
In response to ShishirKumar2

‎2016-06-15 04:39 AM

Hi Shishir,

 

Is your issue resolved !! Please let me know.

 

As per my experience, all other units should be in same time and date exactly with Head Unit when it is a matter of provisioning.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.