.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
How to fix duplicated logs from ODBC collection in RSA NetWitness Platform
Issue
RSA NetWitness ODBC collector collects duplicated events from ODBC event source.
Resolution
Duplicated events are collected if the tracking id in the runtime file is not updated correctly, because the query to fetch data from the ODBC event source database is in descending order.To fix this issue, go to /etc/netwitness/ng/logcollection/content/collection/odbc and open the typespec file(.xml)
Change the dataQuery parameter from descending order to ascending order.
For Example:
From descending order
<dataQuery>
SELECT acceptedrejected, servername, serveripa, sdate, millisecond, suid, groupname, ipa, reason,
info1, info2, threadid FROM A_AHLOG WHERE sdate > '%TRACKING%' ORDER BY sdate DESC
</dataQuery>
To ascending order
SELECT acceptedrejected, servername, serveripa, sdate, millisecond, suid, groupname, ipa, reason,
info1, info2, threadid FROM A_AHLOG WHERE sdate > '%TRACKING%' ORDER BY sdate DESC
</dataQuery>
<dataQuery>
SELECT acceptedrejected, servername, serveripa, sdate, millisecond, suid, groupname, ipa, reason,
info1, info2, threadid FROM A_AHLOG WHERE sdate > '%TRACKING%' ORDER BY sdate ASC
</dataQuery>
SELECT acceptedrejected, servername, serveripa, sdate, millisecond, suid, groupname, ipa, reason,
info1, info2, threadid FROM A_AHLOG WHERE sdate > '%TRACKING%' ORDER BY sdate ASC
</dataQuery>
Product Details
RSA Product Set: RSA NetWitness PlatformRSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.x
Approval Reviewer Queue
RSA NetWitness Suite Approval Queue