Article Number
000001646
Applies To
RSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Windows Legacy Collector
RSA Version/Condition: 10.6.x
Platform: CentOS 6
Platform (Other): Microsoft Windows
Issue
- The following warning messages are observed on RSA Security Analytics (SA) Log Collector /var/log/messages:
Dec 11 09:33:29 SALOGCOLLECTOR nw[18752]: [WindowsCollection] [warning] [COLLECTORNAME.192_168_1_1] [processing] [WorkUnit] [processing] Log for channel System may have rolled over. Previous/Current record number: 536243/536247.
- Getting RSA LegacyCollector warnings:
"read event log failed" with "err=87:msg=The parameter is incorrect"
- Followed by
"next event record (nnn) was older than the oldest record"
Cause
This indicates an attempt to retrieve a windows event log message that is no longer present on the windows server itself. It is most likely seen when the Windows event log messages have been deleted from the Windows server before the SA Log Collector can retrieve it.
Resolution
Below are some suggested solutions for this scenario:
- Typically, the Windows Server event viewer Properties is set to "Overwrite events as needed (oldest events first)" with a "maximum log size (KB)". Confirm the "Overwrite events as needed (oldest events first)" is been used, and increase the "maximum log size (KB)" to keep the Windows event log for longer.
