This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by NetWitness experts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA Security Analytics Virtual Remote Log Collector does not switch back to Primary Local Log Collector when Primary becomes available again after a failover

Article Number

000002010

Applies To

RSA Product Set: Security Analytics, NetWitness Logs & Packets
RSA Product/Service Type: Virtual Log Collector (VLC)

Issue

RSA Security Analytics Virtual Remote Log Collector does not switch back to Primary Local Log Collector when Primary becomes available again after a failover.
A Virtual Log Collector is configured which communicates with two local collectors.
The user wishes that when the highest priority local collector becomes available again, the logs are sent to this collector.

Resolution

In order to resolve the issue, follow the steps below:

  1. Log onto the Remote log Collector via REST using the following URL:  http://<remote_log_collector_ip>:50101/sys/config
    NOTE:  Be sure to change the URL to use https:// if SSL has been configured for the device.
  2. Enter the service credentials for the device.  (Default:  admin/netwitness)
  3. Scroll down to the scheduler(*) entry.
  4. Click on the * next to the scheduler.
  5. Scroll to the bottom of the page and locate the following:  Properties for sys/config/scheduler
  6. From the drop down menu, select addInter.
  7. In the parameters box enter the following:  message=restart minutes=5 pathname=/event-broker/
  8. Click on the Send button. The Output box should display success.
  9. From the drop down menu, select ls. You should see the following message:  4730 = minutes=1 message=restart pathname=/event-broker/
    NOTE:  The first 4 digits may be different in your environment.

 

By making the changes above, the event broker service will restart every 5 minutes. The primary, prefered Local Log Collector will then become active again.

Notes

For additional information and screenshots, refer to the attached documentation.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2022-02-10 12:38 PM
Updated by:
Administrator Administrator

Related Content

© 2022 RSA Security LLC or its affiliates. All rights reserved.