Article Number
000039859
Applies To
RSA Product Set: RSA NetWitness Logs & Network
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.X
Platform: CentOS
O/S Version: 7
Issue
NetWitness Logdecoder might show errors as below.
/var/log/messages:
Oct 6 06:16:44 Logdecoder11 NwLogDecoder[30719]: [Parse] [warning] Maximum meta callback depth reached.
Task
To investigate the incoming traffic causing these errors, please use attached script.
Resolution
Please use attached script to automatically start Logdecoder incoming packet capture when '
Maximum meta callback depth reached' pattern occurs /var/log/messages.
Note: Please modify script to give different patten as below.
PATTERN="Unidentified syslog"
- Please extract file with winzip tool and copy autocap.sh to some directory on the Log Decoder system where the root user has write permission to. For example, you may copy autocap.sh to /root.
- Then as the root user, run this command: nohup bash autocap.sh > autocap.txt &
- Keep monitoring the output that goes into autocap.txt.
- When the script has completed, you'll see a log called 'Capture complete!' followed by a message that says 'Send _autocap-YYYY-MM-DD_HH-MM-SS.tar.gz' file to RSA'.
- Please send that tar file and autocap.txt file RSA support for review..
Note: Script automatically stops collecting details after 100 times of warnings.
