Skip to content
  • There are no suggestions because the search field is empty.

How to troubleshoot event delivery and data flow in RSA Security Analytics Log Collector

Issue

This article provides some basic troubleshooting decision procedures for common failure scenarios that arise in the Log Collector.

The most common problems that arise in the Log Collector start with an inability to collect events, or more specifically, for events to not get delivered to the Log Decoder.

Tasks

1.  Are events getting delivered to the Log Decoder?
Typically you can establish whether the Log Decoder is receiving events by inspecting the packet capture statistics on the Log Decoder, or by inspecting the outbound write statistics on the Log Collector.

      2. Are events accumulating in the Log Collector on the Log Decoder appliance?
A backup of logs in the Log Collector may occur because the Log Decoder is down or unreachable.

      3. Are messages (batches of events) accumulating in the Message Queues that buffer events between event collection and event processing?
If the Log Collector is not consuming messages off of the Message Broker for processing, these events will accumulate on the various message queues (one for each collection protocol).

      4. Is the Message Broker running and capable of buffering events?
If the Message Broker is not running or can no longer buffer events (e.g., because various disk or memory limits have been reached), then the collection services will be unable to publish events to the Message Broker, and collection will appear to stop.

      5. Are the collection protocols operating correctly and collecting events?
Each collection protocol runs within the Log Collector service. See the individual collection method chapters for further troubleshooting information.

      6. If you have deployed a VLC, are events getting delivered from the VLC to the master LC instance?
VLC deployments use a component that runs within the Message Broker to move events from a VLC instance to an LC. This communication channel requires mutually authenticated SSL, which requires an out-of-band key exchange. Typically, this key exchange is performed automatically via SA, but it is sometimes necessary to verify that keys have been properly exchanged, and that communication between VLCs and LCs is established.

Resolution

Please refer ASOCKB-12  for understanding the architecture and detailed information on below:

Troubleshooting Event Delivery:
If a Log Collector is configured to send data to a Log Decoder, and log data is processed by the collectors but no event data is showing up on the Log Decoder

Troubleshooting Publish to Message Queue:
All of the collection methods supported by the Log Collector publish events, in the form of AMQP messages, to the Message Queue. The following chart illustrates the troubleshooting procedure for diagnosing errors publishing messages to the Message Queue, such that the AMQP Queue associated with the collection type is empty, and no events are getting delivered to the Log Decoder.

Product Details

RSA Product Set: RSA Security Analytics 
RSA Product/Service Type: Log Collector
RSA Version/Condition: 10.4.x,10.5.x,10.6.x
Platform: CentOS
O/S Version: EL6

Approval Reviewer Queue

ASOC Approval Group