Article Number
000030713
Applies To
RSA Product Set: Security Analytics
RSA Product/Service Type: Log Decoder, Packet Decoder, Concentrator, Broker, Archiver, Security Analytics UI
RSA Version/Condition: 10.3.x, 10.4.x
Platform: CentOS
O/S Version: EL5, EL6
Issue
A service appears as unlicensed in RSA Security Analytics 10.3.x or 10.4.x UI as shown in the screenshot below.
Image descriptionEntitle Service attempt fails with
<service_name> has already been licensed as shown below.
Image descriptionUpload Trial fails with
Applying trial license failed as shown below.
Image descriptionIt is noticed that opening the
System,
Stats,
Config,
Explore,
Logs or
Security page for the affected services return
Service <ip_address> host <service_name> is unreachable as show in the below example.
Image descriptionThe /var/log/messages of the Security Analytics server reports the following error when the above error messages are displayed.
Jul 6 23:58:50 decoder nw[1753]: [Login] [audit] Failed login attempt for nonexistent user 'xxx' from [::ffff:<sa_server_ip_address>]:43676
This issue is seen on Security Analytics 10.3.x core services that are managed by 10.3.x or 10.4.x Security Analytics server.
Cause
The issue occurs when a user logs on to Security Analytics UI with a system user account (e.g. a custom administrator account such as saadmin) that does not exist under the affected 10.3.x services.
As described in
RSA Security Analytics 10.3 User Guide, all other users (other than the default
admin account) of Security Analytics must have a system user account and a device user account. If a non-admin user needs to access a particular device through Security Analytics, the credentials used to authenticate with Security Analytics (for both external and local users) must match the credentials used to authenticate against the device.
Without creating the corresponding device user account first, the logged on user cannot log in to the service and encounter the mentioned errors.
Resolution
The issue can be resolved by following one of the two options below.
- Add a new device user with the username that matches to the system user account to all of the affected services. Refer to RSA Security Analytics 10.3 User Guide for the detailed instructions.
- Log in to Security Analytics UI using the default admin account to entitle the services. If a custom administrator account will be used to manage the Security Analytics environment, it is strongly recommended to apply the first option.