Duplicate Log Messages

It is possible that you are collecting messages from the same event source on two or more Log Collectors. This topic describes the problem and ways to troubleshoot the issue.

Details

If the ESM aggregator detects the same events for the same event source on multiple Log Collectors, you receive a warning similar to the following:

2015-03-17 15:25:29,221 [pool-1-thread-6] WARN com.rsa.smc.esm.groups.events.listeners.EsmStatEventListener -
192.0.2.21-apache had a previous event only 0 seconds ago; likely because it exists on multiple log collectors

This warning message means the 192.0.2.22-apache event source is being collected by multiple hosts. You can see the list of hosts in the Log Collector column in the Manage tab in the Administration > Event Sources view.

Clean Up Duplicate Messages

  1. Stop collectd on NetWitness and Log Decoders:

    service collectd stop

  2. Remove the ESM Aggregator persisted file on NetWitness:

    rm /var/lib/netwitness/collectd/ESMAggregator

  3. Reset the Log Decoder.
    1. Navigate to the Log Decoder REST, at http://<LD_IP_Address>:50102.
    2. Click decoder(*) to view the properties for the decoder.
    3. In the Properties drop-down menu, select reset, then click Send.
  4. In the Event Sources panel from the Event Sources Manage tab, select all event sources and then click - to remove them.
  5. Start the collectd service:

    service collectd start