This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

VLC collect when nwlogcollector stop?

ThomasGaultier
Beginner
Beginner

‎2017-05-23 11:36 AM

Hello,

What is happening when we stop a few minutes and start or restart the nwlogcollector service ?

Do we loose logs? Does the VLC keep getting the log and buffer them?

 

Thanks,

0 Likes
7 REPLIES 7

IslamRashad
Employee
Employee

‎2017-05-23 12:03 PM

The Log Collection service makes use of Pivotal's RabbitMQ message queuing technology to satisfy a number of requirements. The Message Broker:


1- Provides asynchronous delivery of event data between components, even if not all components in the  system are running or available. This allows the Log Collector to continue collecting event data, even if the Log Decoder or other event consumers are unavailable. 

 

2- Provides persistence of event data on disk in the event of a machine restart or upgrade. Events are never lost in the case of graceful shutdown, and most events are be saved in the event of  catastrophic shutdown. 


3- Provides movement of event data from one node to the other via configuration, without the need for  additional code.

 

4- Provides a number of routing scenarios, supporting load balancing and replication.

 

5-  Provides mutually authenticated SSL between nodes, so that data can be confidentiality and integrity protected in motion, while also mutually authenticated.

 

In that essence, data availability is preserved in case of service/crashes or unplanned/planned restart.

 

Thanks,
Islam Rashad

0 Likes

SravanKoneti1
Beginner
Beginner

‎2017-05-23 12:07 PM

Hi Thomas,

 

When collector service stopped, all collection methods like windows, checkpoint, file.. (Except syslog) will create bookmarks. Using these bookmarks when collector service started the collection starts from where it stopped.

0 Likes

ThomasGaultier
Beginner
Beginner

‎2017-05-23 12:25 PM

Hi,

And thanks for the answers.

Except Syslog? You mean if I stopped the syslog message will be dropped?

0 Likes

SravanKoneti1
Beginner
Beginner
In response to ThomasGaultier

‎2017-05-23 12:47 PM

Hi Thomas,

 

Yes. Syslog collection will have log loss during collector service stop. 

0 Likes

ThomasGaultier
Beginner
Beginner

‎2017-05-23 12:56 PM

Hi,

Ok got it because we have to made changes on the VLC configuration and its seems that the only way to do it is to send the log to another VLC ?

 

And if we restart ? It will stop and start so we will loose logs ?

0 Likes

SravanKoneti1
Beginner
Beginner
In response to ThomasGaultier

‎2017-05-23 01:02 PM

Hi Thomas,

 

If syslog messages are critical for organisation, we can direct them to different collector before stopping collector service. So event source can send messages to the appropriate running collector.

0 Likes

KamilGlowinski2
Employee
Employee

‎2017-05-23 03:35 PM

For syslog the best option in this situation is VIP , which will balance syslog flow between 2 VLC.

You can do similar for sftp and snmp collection ( traps also will be lost when nwlogcollector service will be restarted)

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.