How to obtain NetWitness Log Decoder diagnostic logs for syslog collection errors

Issue

The NetWitness Log Decoder might show errors as below.

/var/log/messages:

 Oct 6 06:16:44 Logdecoder11 NwLogDecoder[30719]: [Parse] [warning] Maximum meta callback depth reached.

Tasks

To investigate the incoming traffic causing these errors, please use attached script.

Resolution

Please use attached script to automatically start Logdecoder incoming packet capture when 'Maximum meta callback depth reached' pattern occurs /var/log/messages.

Note: Please modify script to give different patten as below.
PATTERN="Unidentified syslog"

Please extract file with winzip tool and copy autocap.sh to some directory on the Log Decoder system where the root user has write permission to. For example, you may copy autocap.sh to /root.
Then as the root user, run this command: nohup bash autocap.sh > autocap.txt &
Keep monitoring the output that goes into autocap.txt.
When the script has completed, you'll see a log called 'Capture complete!' followed by a message that says 'Send _autocap-YYYY-MM-DD_HH-MM-SS.tar.gz' file to RSA'.
Please send that tar file and autocap.txt file RSA support for review..

Note: Script automatically stops collecting details after 100 times of warnings.

Product Details

RSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.x
Platform: CentOS
O/S Version: 7

Summary

This document outlines the procedure to capture logdecoder incoming traffic which causing the errors.

Approval Reviewer Queue

Technical approval queue