.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Log Collector fails to collect any AWS CloudTrail logs in Netwitness Platform
Issue
After successfully adding the AWS CloudTrail event source as per the configuration guide, it is noticed that the log collector does not collect any logs.The failure message below is logged in the /var/log/messages file. (The failure is only logged if the event source is enabled.)
Apr 10 06:19:24 AWSCOLLECTOR NwLogCollector[21043]: [CmdScriptCollection] [failure] [cmdscript:WrkUnit[1]:21057] [onLog:764] [cloudtrail.awscloudtrail] [processing] [WorkUnit] [processing] Error (1) from chcon -R -u system_u -r object_r -t sandbox_net_client_tmpfs_t -l s0 /var/netwitness/logcollector/scriptUpload/cloudtrail
Running the command manually returns an error on 'chcon' as shown below.
[root@AWSCOLLECTOR ~]# chcon -R -u system_u -r object_r -t sandbox_net_client_tmpfs_t -l s0 /var/netwitness/logcollector/scriptUpload/cloudtrail
chcon: can't apply partial context to unlabeled file `awscloudtrail'
chcon: can't apply partial context to unlabeled file `awscloudtrail'
Cause
The chcon error can occur when the SELinux setting is set to disabled.Run getenforce to confirm the current SELinux mode.
Resolution
Change the selinux mode to enforcing which is the default setting by modifying /etc/selinux/config.FROM
SELINUX=disabled
TO
SELINUX=enforcing
Reboot the log collector for the changes to take effect and confirm the log collection from the AWS event source.
Product Details
Netwitness Product Set: NetWitness PlatformNetwitness Product/Service Type: Log Collector
Netwitness Version/Condition: 11.x, 12.x or later
Platform: CentOS/Alma Linux
Approval Reviewer Queue
Technical approval queue