Troubleshoot Windows Legacy and NetApp Collection

This topic highlights possible problems that you may encounter with Windows Legacy Collection (LWC) and suggested solutions to these problems.

Note: In general, you receive more robust log messages by disabling SSL.

Protocol Restart Problems

Problem Possible Causes Solutions

You restart the Legacy Windows collection protocol, but NetWitness is not receiving events.

The logcollector service is stopped.

Restart the logcollector service.

  1. Log on to the Windows Legacy Remote Collector.
  2. Go to Start > Administrative Tools > Task Scheduler and click on Task Scheduler Library.
  3. In the right panel, look for the restartnwlogcollector task and make sure that it is running.
  4. If this is not the case, right-click restartnwlogcollector
    and select Run.

Installation Problems

If you see any of the following messages in the MessageBroker.log, you may have issues.

Log Messages

Any message that contains "rabbitmq"

Possible Cause

RabbitMQ service may not be running.

Port 5671 may not be opened.

Solutions

Make sure that the RabbitMQ service is running.

Make sure that port 5671 is open.

Log Messages

Error: Adding logcollector user account.

Error: Adding administrator tag to logcollector account.
Error: Adding logcollection vhost.
Error: Setting permissions to logcollector account in all vhosts.

Possible Cause

rabbitmq-server was not running when installer tried to create users and vhosts.

Solutions

Make sure that the RabbitMQ service is running and run below commands manually.

rabbitmqctl -q add_user logcollector netwitness
rabbitmqctl -q set_user_tags logcollector administrator
rabbitmqctl -q add_vhost logcollection
rabbitmqctl -q set_permissions -p / logcollector ".*" ".*" ".*"
rabbitmqctl -q set_permissions -p logcollection logcollector ".*" ".*" ".*"

Windows Legacy Federation Script Issues

If you see any of the following messages in the federation script log, you may have issues.

Problem Possible Symptoms Solutions

Federation script started, but the LWC service went down.

 NetWitness log shows connection failure exceptions with Windows Legacy Collector.

This issue is fixed automatically after restarting the Windows Legacy service.

LWC is running, but RabbitMQ service is down or restarting.

Federation log file at Windows Legacy side displays an error message about RabbitMQ service being down.

The log file to look at is:
C:\NetWitness\ng\logcollector

The following error message is logged in case RabbitMQ is not running:

"Unable to connect to node logcollector@localhost: nodedown"

The following diagnostics messages are displayed:

attempted to contact: [logcollector@localhost]

logcollector@localhost:
* connected to epmd (port 4369) on localhost
* epmd reports: node 'logcollector' not running at all other nodes on localhost: ['rabbitmqctl-4084']
* suggestion: start the node

Run the federation.bat script manually at LWC.
To run the federate.bat script manually, perform the following steps:

  1. Go to folder C:\Program Files\NwLogCollector where the Windows Legacy instance is installed.

  2. Locate the file federate.bat in this folder. Select the file and right click.

  3. Select Run as Administrator.

  4. To monitor the log file, navigate to
    C:\NetWitness\ng\logcollector\federate.log while the federate.bat script is being executed.

Note: Make sure the log file does not show any errors while the script is being executed.

RabbitMQ service is down on the NetWitness side.

NetWitness User Interface pages do not work.

Restart RabbitMQ service.

Customer receives a Health and Wellness notification, or the following Health and Wellness Alarm is displayed:
"Communication failure between Master NetWitness Host and a Remote Host" with LWC Host as the Remote IP.

Federate.bat script failed to run successfully.

If the Federate.bat script did not run correctly, run it manually as described previously.