.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Issue
The Logcollector is collecting logs but they don't appear in investigation because the logcollector service fails to transfer events to the logdecoder service.On the Logcollector explore view, checking event-processors -> logdecoder -> stats -> destinations -> logdecoder -> queue_percent_full is 100 and tcp_connector_bytes_written is 0
Cause
This happens if the tcpconnector Logcollector configuration parameters are incorrect.
Resolution
1) Open the Logcollector Explore view.2) Navigate to event-processor -> logdecoder -> destinations -> logdecoder -> consumer -> processors -> tcpconnector -> config -> connector -> channel -> tcp and make sure the configuration is correct as in the following screenshot.
Product Details
RSA Product Set: NetWitness
RSA Product/Service Type: Log Collector
RSA Version/Condition: 11.x, 12.x
Platform: CentOS, AlmaLinux
Summary
Can not see events from Logcollector in Investigation although Collection works fine. The Logcollector service can not write events to the Logdecoder service.
Approval Reviewer Queue
Technical approval queue