This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by NetWitness experts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Netwitness Disabling Policy-based Centralized Content Management for Individual Services fails with java exception

Article Number

000003095

Applies To

RSA Product Set: NetWitness Platform
RSA Product/Service Type: Admin Server,LogDecoder
RSA Version/Condition: 12.1.X
Platform: CentOS
O/S Version: 7

Issue

When Disabling the Policy-based Centralized Content Management for Individual Service using NetWitness 12.x Enabling or Disabling Policy-based Centralized Content Management for Individual Services , it fails with the below error. 
source-server:Method:/rsa/central/service/toggle-managed-by-legacy » invoke 'rsdec - Log Decoder'
ERROR: java.lang.IllegalStateException: Duplicate key null (attempted merging values ServiceInstance(id=cbbb5e9a76c142859c5c0f8af9bb6da9, name=ntp, displayName=null, host=ntp.unice.fr, port=null, useTls=false, version=null, family=third-party, meta={}) and ServiceInstance(id=5bcacaf1c60548b19fb4379d99e0453a, name=syslog, displayName=null, host=192.168.1.74, port=514, useTls=false, version=null, family=third-party, meta={template=CEF:0|%{deviceVendor}|%{deviceProduct}|%{deviceVersion}|%{category}|%{operation}|%{severity}|rt=%{timestamp} src=%{sourceAddress} spt=%{sourcePort} dpt=%{destinationPort} dst=%{destinationAddress} dvcpid=%{deviceProcessId} tpt=%{transportProtocol} sessionId=%{sessionId} scope=%{scope} suser=%{identity} sourceServiceName=%{deviceService} deviceExternalId=%{deviceExternalId} deviceProcessName=%{deviceProcessName} deviceFacility=%{deviceFacility} outcome=%{outcome} msg=%{text} remoteAddress=%{remoteAddress} reasonForFailure=%{reasonForFailure} reason=%{reason} arguments=%{Arguments} user=%{User} referrerURL=%{referrer} role=%{Role} id=%{id} account=%{Account} deviceIDs=%{deviceIDs} file=%{file} accountProvider=%{AccountProvider} uri=%{uri} addRole=%{Add.Role} addPermission=%{Add.Permission} userAgent=%{userAgent} userGroup=%{userGroup} userRole=%{userRole} key=%{key} value=%{value} paramKey=%{Key} paramValue=%{Value} alert=%{alert} incident=%{incident} action=%{action} notificationBinding=%{NotificationBinding} name=%{name} enabled=%{enabled} disabled=%{disabled} params=%{parameters} hostName=%{hostName} host=%{host} serviceName=%{serviceName}, outputType=rsatcp, facility=USER}))

Cause

This issue is due to Audit logging configuration for this Logdecoder.
 

Resolution

Please follow the below steps to disable the Policy-based Centralized Content Management for Individual Service.

Note: Before executing the query, remove this Log Decoder service from the groups and policies from the Configure → Policies page.

1. Connect to mongo in AdminServer.
 
mongo admin -u deploy_admin -p <PASSWORD>

2. Navigate to Source-server DB: 
use source-server

3. Execute the update query:
 
db.getCollection('centralService').update({"serviceName": 'rsdec - Log Decoder'},{ $set: {"managedByLegacy": true}})

Note: serviceName value rsdec - Log Decoder depends on customer environment services page logdecoder name.

4. Exit from Mongo shell: quit()

5. Log Dedocer service restart is required after updating the mongo document:
 
service nwlogdecoder restart
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2023-05-19 11:06 AM
Updated by:
Administrator Administrator

Related Content

© 2022 RSA Security LLC or its affiliates. All rights reserved.