.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
RSA NetWitness CloudTrail plugin stopped collecting logs from AWS CloudTrail S3 Bucket
Issue
VLC can connect with the S3 Bucket in AWS using the credentials specified. However, VLC stopped collecting logs from AWS CloudTrail S3 Bucket./var/log/messages:
Jul 13 05:19:37 VLC NwLogCollector[17255]: [CmdScriptCollection] [info] [cmdscript:WrkUnit[7]timerService:116829] [stopChildProcess:642] [cloudtrail.rsalogcollector] [processing] [WorkUnit] [processing] Child process terminated, stopReason=WorkUnitAborted terminateReason=ShutDownTimerExpired
Jul 13 05:19:37 VLC NwLogCollector[17255]: [Engine] [info] Child process 116827 sent signal code: signaled, child signal: 9
Jul 13 05:19:39 VLC NwLogCollector[17255]: [Engine] [info] Child process 116828 sent signal code: exited, child exit code: 2
Jul 13 05:19:37 VLC NwLogCollector[17255]: [Engine] [info] Child process 116827 sent signal code: signaled, child signal: 9
Jul 13 05:19:39 VLC NwLogCollector[17255]: [Engine] [info] Child process 116828 sent signal code: exited, child exit code: 2
Cause
It is due to the network settings in customer's environment causing CloudTrail plugin is not able to collect logs from S3 Buckets by using SIG_V4 enabled ( os.environ['S3_USE_SIGV4'] = 'True' ) in the "cloudtrail_collector.py" file.Resolution
Disable the entry below by commenting out in the "cloudtrail_collector.py" file and restarted plugin collection service.
vi /etc/netwitness/ng/logcollection/content/collection/cmdscript/cloudtrail/cloudtrail_collector.py
~~
# os.environ['S3_USE_SIGV4'] = 'True'
~~
# os.environ['S3_USE_SIGV4'] = 'True'
Product Details
RSA Product Set: NetWitness Logs & NetworkRSA Product/Service Type: Log Collector
RSA Version/Condition: 10.6.x, 11.x
Approval Reviewer Queue
RSA NetWitness Suite Approval Queue