Skip to content
  • There are no suggestions because the search field is empty.

RSA Security Analytics - Microsoft SQL Server: Could not create a trace file

Issue

ODBC Log Collection to a Microsoft SQL Database fails due to a trace file becoming impossible to create. The Trace File directory on the SQL Server will not send log also after the reset of the db.nic_aud_init_trace (KB 000030430).

In the /var/log/messages file on the Log Collector, messages similar to the following will be seen:

[mssql.xxxxxx] [processing] Error finding any new events. Reason: Unable to execute statement: Statement: "exec nic_aud_swap_trace 30, 'L:\SIEMLogging\SIEMTrace', 1, 'WHERE StartTime > 2014-12-30 09:47:59.727'"; Reason: state: S1000; error-code: 139809775438454; description: [RSA][ODBC SQL Server Wire Protocol driver][Microsoft SQL Server] Could not create a trace file.state: 01000; error-code: 139809775438489; description: [RSA][ODBC SQL Server Wire Protocol driver][Microsoft SQL Server] Windows error occurred while running SP_TRACE_CREATE. Error = 0x80070070(failed to retrieve text for this error. Reason: 15105).state: 01000; error-code: 139809775469392; description: [RSA][ODBC SQL Server Wire Protocol driver][Microsoft SQL Server]ERROR: Error occured trying to start tracing for file - 81, L:\SIEMLogging\SIEMTrace-11

The important parts are : 

Could not create a trace file.state 
Windows error occurred while running SP_TRACE_CREATE Error

Cause

Somehow the collection has been stopped and for some reason was not restarted but the logs were still created until all the space was filled.

At the same time you should find this error:

Unable to execute statement: Statement: "exec nic_aud_swap_trace 30"
 


Resolution

Check if there is free space in the folder where ​the trace file are stored.

Note: In windows the partitions could have a "space quota limit":
  1. Try to move to another partition others file in order to gain enough space to allow the restart of the collection
  2. Use these step KB000030430 to restart the collection

N.B.
If in this partition there are only the trace files generated by mssql (the logs)

  • you must move one file to another partition (usually they are 100MB each max) -> follow the above step 2.
  • Copy back the trace file in the original folder
  • Only if is not consumed do the above step 2. again. Could be useful to also restart the odbc collection as below:
From UI ->Services ->Select VLC/LogDecoder -> System ->Collection -> ODBC ->stop and then  start

Product Details

NetWitness Product Set: NetWitness Platform
NetWitness Product/Service Type: All Nodes
NetWitness Version/Condition: 12.x
Platform: CentOS/Alma

Approval Reviewer Queue

Technical approval queue