NetWitness Community

RSAAdmin · ‎2015-08-17

Hello all,

Is there a services from which events can be lost when you restart it? The only case I can think of -> when you restart Local Collector when you use it to capture UDP syslog event.

RSAAdmin · ‎2015-10-28

I found a chunk of what I was looking for.

Prepare Log Collector Services for Update
Perform the following procedure before you update a Local Collector (Log Decoder appliance running Log Collector service) or a Remote Collector (A Log Collector service running on a Virtual Machine).

Stop all collection protocols on the Log Collector Service. To stop the protocols:

In the Security Analytics menu, select Administration > Services.

Select the Log Collector service.

Click View > System > Collection > Protocol (for example, Check Point) and click Stop.

After all collection protocols have stopped, verify that all data in the LogCollector has been sent to the LogDecoder service.

In the Security Analytics menu, select Administration > Services.

Select the Log Collector service.

Click View > Explore.

Click event-broker/stats/queues.

Click on each queue name and look for messages and consumers stat on the right panel.

Verify that the consumers stat value is non-zero, that is at least one consumer and the messages stat is 0 before you start the update. For example, if:

There is a value greater than 0 in consumers with messages in the queue, wait until the messages value becomes 0. Make sure that the LogDecoder service is running and receiving data so that it can receive the messages.

There are messages and the consumers value is 0, verify that the queue is configured correctly and the LogDecoder is up and receiving.

These queues are no longer required, you can delete them.

View solution in original post

Anonymous · ‎2015-08-17

Log decoder is also that way.

RSAAdmin · ‎2015-08-24

All ideas are welcome.

One thing that makes me think Decoder and Concentrator are okay is because I think they use AMPQ.

Anonymous · ‎2015-09-17

syslog goes straight to the log decoder, not the log collector.

Push/pull feeds seem to catch up relatively well from a Log Collector restart (at least at 10.4, in 10.3.4, files that arrived while the collector was down didn't get processed).

We feed syslog to a VLC (Virtual Log Collector) appliance to give some level of buffering when a Log Decoder is being restarted, but I'm not sure it actually helps.

RSAAdmin · ‎2015-09-18

Thank you for your answer Andy

syslog goes straight to the log decoder, not the log collector.

I may be wrong on this but I'm thinking they must have put a syslog server which write syslog events to a local database from which local collector read then would write on AMPQ for log decoder to pick it up. And that syslog server would be bundled under nwlogdecoder. That would still make your opinion valid.

Push/pull feeds seem to catch up relatively well from a Log Collector restart

I didn't test it but it's good to have a feedback on this. If they implement transaction concept (even thought the event is pull, if the machine from which the event was pull didn't get a kind of "transaction completed", it keeps it. It's a protection against decoder failing in the middle of processing, such as log decoder service being restart).

files that arrived while the collector was down didn't get processed

I was strongly assuming the opposite. I will have to test it.

We feed syslog to a VLC (Virtual Log Collector) appliance to give some level of buffering when a Log Decoder is being restarted, but I'm not sure it actually helps.

Buffering with a VLC seems like a good architecture practice since syslog fails if logdecoder is restarted, plus log decoder is more prone to being restarted

RSAAdmin · ‎2015-10-28

I found a chunk of what I was looking for.

Prepare Log Collector Services for Update
Perform the following procedure before you update a Local Collector (Log Decoder appliance running Log Collector service) or a Remote Collector (A Log Collector service running on a Virtual Machine).

Stop all collection protocols on the Log Collector Service. To stop the protocols:

In the Security Analytics menu, select Administration > Services.

Select the Log Collector service.

Click View > System > Collection > Protocol (for example, Check Point) and click Stop.

After all collection protocols have stopped, verify that all data in the LogCollector has been sent to the LogDecoder service.

In the Security Analytics menu, select Administration > Services.

Select the Log Collector service.

Click View > Explore.

Click event-broker/stats/queues.

Click on each queue name and look for messages and consumers stat on the right panel.

Verify that the consumers stat value is non-zero, that is at least one consumer and the messages stat is 0 before you start the update. For example, if:

There is a value greater than 0 in consumers with messages in the queue, wait until the messages value becomes 0. Make sure that the LogDecoder service is running and receiving data so that it can receive the messages.

There are messages and the consumers value is 0, verify that the queue is configured correctly and the LogDecoder is up and receiving.

These queues are no longer required, you can delete them.

NetWitness Community

Right way to restart services