.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
How to verify there is traffic from the Log Collector to the Log Decoder in RSA Security Analytics / NetWitness Platform
Issue
Sometimes for troubleshooting purposes, it is useful to check if the (local) Log Collector is forwarding traffic to the Log Decoder.In this scenario, the Log Collector is in the same box as the Log Decoder.
Resolution
Since the TCP Collector module inside the Log Collector forwards unstructured events to the Log Decoder on port 514 over TCP on the loopback address, you can perform a tcpdump to capture the traffic using the following command:
tcpdump -i lo port 514
If you prefer to save the output to a pcap for offline analysis, then:
tcpdump -i lo port 514 -w <filename>.pcap
Internal Comments
UserName:shurtj5/7/2014 2:33:51 PM - Modified Statements
Modified statements to adhere to Primus best practices.
Product Details
RSA Product Set: Security Analytics, Netwitness Logs & NetworkRSA Product/Service Type: Log Collector, Log Decoder
RSA Version/Condition: 10.x, 11.x
Platform: CentOS
O/S Version: EL6, EL7
Approval Reviewer Queue
RSA NetWitness Suite Approval Queue