Skip to content
  • There are no suggestions because the search field is empty.

RSA Security Analytics Concentrator aggregation is stopped due to missing roles in the Administrators group

Issue

RSA Security Analytics Concentrator aggregation is stopped due to missing roles in the Administrators group.

The /var/log/messages file on the concentrator reports an error similar to the following:

[Aggregation] [failure] Failed to initialize device '192.168.1.5:50005' because User 'admin' does not have the required permission to send message 'getrecov'. This message requires one of the following role(s): concentrator.manage.. Device aggregation is being stopped.
[Aggregation] [failure] Failed to initialize device '192.168.1.5:50005' because user admin does not have the required permission to send message "getrecov". This message requires on of the following roles(s): decoder.manage.. Device aggregation is being stopped.


Navigating to Administration -> Devices in the Security Analytics UI, selecting the concentrator, and clicking on View -> Config displays a failed status on at least one device under the Aggregate Devices section.

Cause

This issue occurs because the Administrators group for the decoder and/or concentrator service level is missing one more more required roles in order to perform basic tasks.

Refer to the table below, which displays the required roles for the Administrators group for the decoder and concentrator services.

  • Column 1:  Service
  • Column 2:  Required Roles

  • Column 1: Decoder
  • Column 2: connections.manage,database.manage,decoder.manage,everyone,index.manage,logs.manage,owner,parsers.manage,rules.manage,sdk.content,sdk.manage,sdk.meta,services.manage,storedproc.execute,storedproc.manage,sys.manage,users.manage

  • Column 1: Concentrator
  • Column 2: concentrator.manage,connections.manage,database.manage,everyone,index.manage,logs.manage,owner,rules.manage,sdk.content,sdk.manage,sdk.meta,services.manage,storedproc.execute,storedproc.manage,sys.manage,users.manage



Resolution

In order to resolve the issue, the affected devices must be examined to ensure that they are not missing any of the required roles and to add those that are missing as necessary.  To perform this, follow one of the action plans below.

Method 1:  Using the REST API

  1. In a web browser, navigate to the User Groups page of the REST interface on the appliance.
         Decoder:  Navigate to http:// :50104/users/groups  
         Concentrator:  Navigate to http:// :50105/users/groups
  2. In the text box next to the Administrators group, enter the appropriate roles found in the table above and click the Set button.

Method 2:  Using the NwConsole Utility

  1. Connect to the appliance via SSH as the root user.
  2. Open the NwConsole utility with the following command:  NwConsole
  3. Login to the appropriate service level using one of the commands below, entering the password when prompted.
         Decoder:  login localhost:50004 admin
         Concentrator:  login localhost:50005 admin
  4. Display the current roles for the Administrators group with the following command:  /users/groups/Administrators get
  5. Issue the appropriate command below as necessary to add all of the required roles to the group.
         Decoder:  /users/groups/Administrators set value=connections.manage,database.manage,decoder.manage,everyone,index.manage,logs.manage,owner,parsers.manage,rules.manage,sdk.content,sdk.manage,sdk.meta,services.manage,storedproc.execute,storedproc.manage,sys.manage,users.manage
         Concentrator:  /users/groups/Administrators set value=concentrator.manage,connections.manage,database.manage,everyone,index.manage,logs.manage,owner,rules.manage,sdk.content,sdk.manage,sdk.meta,services.manage,storedproc.execute,storedproc.manage,sys.manage,users.manage

After configuring the Administrators group with the new roles, it will be necessary to restart the nwdecoder and/or nwconcentrator services for the appliances in order for the changes to take effect.  It may also be necessary to stop and start aggregation on the concentrator to allow the decoder to report a Consuming status.

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.


Internal Comments

UserName:shurtj
9/24/2014 4:01:19 PM - Created Article
Created article to address the issue in case 00582592.

Product Details

RSA Product Set: NetWitness Logs & Packets
RSA Product/Service Type: Decoder, Concentrator, Hybrid, 
RSA Version/Condition: 10.x, 11.x
Platform: CentOS
O/S Version: EL6, EL7

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue