Skip to content
  • There are no suggestions because the search field is empty.

Error message basic_string::_S_create is seen when collecting ODBC events in RSA NetWitness Platform

Issue

Error message basic_string::_S_create is seen when collecting ODBC events in RSA NetWitness.
The error marked in red below will be seen in the /var/log/messages on the Log Collector or Virtual Log Collector.

Jun 10 09:18:09 NWAPPLIANCE2932 nw[1409]: [OdbcCollection] [failure] [mcafeedlp3000.ePO] [processing] [ePO] [processing] An error occurred collecting ODBC events using query tag MCAFEEDLP. Error: basic_string::_S_create

Cause

The issue appears to be a column (field) in the data query that is extremely long or longer than the defined max in the field buffer in Log Collector for ODBC data processing. Once the column (field) length was limited to 255 by adding SUBSTR to SQL select clause there are no issues.


The basic_string::_S_create error points to a buffer overflow.


Resolution

Below are the steps that you need to run on the Log Collector or Virtual Log Collector in order to fix the issue.
 

  1. Stop the nwlogcollector service.
    For 10.6.x:   #  stop nwlogcollector
    For 11.x :      # systemctl stop nwlogcollector.service
     
  2. Create a backup of the NwLogCollector.cfg file.
    # cp /etc/netwitness/ng/NwLogcollector.cfg /etc/netwitness/ng/NwLogcollector.cfg_bkp
     
  3. Open the NwLogCollector.cfg file using the VI editor.
    # vi /etc/netwitness/ng/NwLogcollector.cfg
     
  4. Search for the DSN that you had configured for the data collection.
  5. In the attribute tree under the DSN, you should see the parameter max_cell_size which is set to 2048.
  6. Change it to 8192.
  7. Save the file and start the service
    For 10.6.x:   #  start nwlogcollector
    For 11.x :      # systemctl start nwlogcollector.service
     
  8. Check the /var/log/messages and you should not find this error and the log collection will begin to occur normally.
     

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.


Internal Comments

UserName:shurtj
6/19/2014 2:44:05 PM - Technically Reviewed
Technically reviewe the article and changed its status to Copy Edited. Modified formatting of statements to abide by Primus best practices.

Jemma Lee -- 03 Sep 2019
Adjusted the title to adhere to best practice and updated Product Set and Version/Condition. Added commands for 11.x version.

Product Details

RSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Log Collector
RSA Version/Condition: 10.6.x, 11.x

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue