The content you are looking for has been archived. View related content below.
Windows legacy log collection warning message "System may have rolled over" in RSA Netwitness
RSA Product Set: NetWitness Logs & Network RSA Product/Service Type: Windows Legacy Collector RSA Version/Condition: 10.6.x Platform: CentOS 6 Platform (Other): Microsoft Windows
The following warning messages are observed on RSA Security Analytics (SA) Log Collector /var/log/messages: Dec 11 09:33:29 SALOGCOLLECTOR nw: [WindowsCollection] [warning] [COLLECTORNAME.192_168_1_1] [processing] [WorkUnit] [processing] Log for channel System may have rolled over. Previous/Current record number: 536243/536247.
Getting RSA LegacyCollector warnings: "read event log failed" with "err=87:msg=The parameter is incorrect"
Followed by "next event record (nnn) was older than the oldest record"
This indicates an attempt to retrieve a windows event log message that is no longer present on the windows server itself. It is most likely seen when the Windows event log messages have been deleted from the Windows server before the SA Log Collector can retrieve it.
Below are some suggested solutions for this scenario:
Typically, the Windows Server event viewer Properties is set to "Overwrite events as needed (oldest events first)" with a "maximum log size (KB)". Confirm the "Overwrite events as needed (oldest events first)" is been used, and increase the "maximum log size (KB)" to keep the Windows event log for longer.