Article Number
000001015
Applies To
RSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Log Collector
RSA Version/Condition: 10.x, 11.x
Platform: CentOS
O/S Version: 6, 7
Issue
When
Resolve SIDs option is enabled, Windows Collection is delayed for the particular event source until the SID enumeration completes.
Image descriptionThe following messages are logged for the event source until the SID enumeration completes.
Nov 30 07:30:35 LOGCOLLECTOR NwLogCollector[80560]: [WindowsCollection] [info] [Domain_Controllers_Security3.10_10_20_2] Got 500 SIDs
Nov 30 07:47:21 LOGCOLLECTOR NwLogCollector[80560]: [WindowsCollection] [info] [Domain_Controllers_Security2.10_10_20_2] Got 500 SIDs
Nov 30 07:47:21 LOGCOLLECTOR NwLogCollector[80560]: [WindowsCollection] [info] [Domain_Controllers_Security1.10_10_20_2] Got 500 SIDs
...
Depending on the size of the domain, this process can take several hours hence causing a delay in receiving critical events in time.
Resolution
In order to eliminate the delay caused by SID enumeration, please disable Resolve SIDs option for the event source.
SID enumeration can be turned off because for most security events the SIDs will be already translated in the message by Windows.
To ensure the SIDs are translated, check the raw logs and also meta detail for the sessions collected after disabling Resolve SIDs and confirm the hostname and domain name exist.