Skip to content
  • There are no suggestions because the search field is empty.

RSA Security Analytics Virtual Remote Log Collector does not switch back to Primary Local Log Collector when Primary becomes available again after a failover

Issue

RSA Security Analytics Virtual Remote Log Collector does not switch back to Primary Local Log Collector when Primary becomes available again after a failover.
A Virtual Log Collector is configured which communicates with two local collectors.
The user wishes that when the highest priority local collector becomes available again, the logs are sent to this collector.

Resolution

In order to resolve the issue, follow the steps below:

  1. Log onto the Remote log Collector via REST using the following URL:  http:// :50101/sys/config
    NOTE:  Be sure to change the URL to use https:// if SSL has been configured for the device.
  2. Enter the service credentials for the device.  (Default:  admin/netwitness)
  3. Scroll down to the scheduler(*) entry.
  4. Click on the * next to the scheduler.
  5. Scroll to the bottom of the page and locate the following:  Properties for sys/config/scheduler
  6. From the drop down menu, select addInter.
  7. In the parameters box enter the following:  message=restart minutes=5 pathname=/event-broker/
  8. Click on the Send button. The Output box should display success.
  9. From the drop down menu, select ls. You should see the following message:  4730 = minutes=1 message=restart pathname=/event-broker/
    NOTE:  The first 4 digits may be different in your environment.

By making the changes above, the event broker service will restart every 5 minutes. The primary, prefered Local Log Collector will then become active again.


Notes

For additional information and screenshots, refer to the attached documentation.

Internal Comments

David Waugh -- 20 May 2014
Created the article.  

Jeff Shurtliff -- 24 Jun 2014
Technically reviewed the article and changed its status to Copy Edited. Added Fact statements and added product name to the title of the article. Modified the Symptom statements for clarity. Modified formatting of Fix statement to adhere to Primus best practices and corrected grammatical and spelling errors. Converted document in the linked RSA SFTP site to PDF and added it as an attachment in a Note statement.

Jemma Lee -- 24 July 2017
Added internal notes

Jeff Shurtliff -- 5 Aug 2017
Performed KCS Review.  Updated the Applies To field to adhere more closely to best practices.

Product Details

RSA Product Set: Security Analytics, NetWitness Logs & Packets
RSA Product/Service Type: Virtual Log Collector (VLC)

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue