Troubleshoot Windows Legacy and NetApp Collection

Troubleshoot Windows Legacy and NetApp CollectionTroubleshoot Windows Legacy and NetApp Collection

This topic highlights possible problems that you may encounter with Windows Legacy Collection (LWC) and suggested solutions to these problems.

Note: In general, you receive more robust log messages by disabling SSL.

Problem:
You restart the Legacy Windows collection protocol, but NetWitness is not receiving events.
Possible Causes:
The logcollector service is stopped.
Solutions:
Restart the logcollector service.
1. Log on to the Windows Legacy Remote Collector.
2. Go to Start > Administrative Tools > Task Scheduler and click on Task Scheduler Library.
3. In the right panel, look for the restartnwlogcollector task and make sure that it is running.
4. If this is not the case, right-click restartnwlogcollector
  and select Run.

If you see any of the following messages in the MessageBroker.log, you may have issues.

Log Messages:
RabbitMQ service may not be running.

Port 5671 may not be opened.

Log Messages:
Make sure that the RabbitMQ service is running.

Make sure that port 5671 is open.

Log Messages:
Error: Adding logcollector user account.

Error: Adding administrator tag to logcollector account.
Error: Adding logcollection vhost.
Error: Setting permissions to logcollector account in all vhosts.

Log Messages:
rabbitmq-server was not running when installer tried to create users and vhosts.

Log Messages:
Make sure that the RabbitMQ service is running and run below commands manually.

rabbitmqctl -q add_user logcollector netwitness
rabbitmqctl -q set_user_tags logcollector administrator
rabbitmqctl -q add_vhost logcollection
rabbitmqctl -q set_permissions -p / logcollector ".*" ".*" ".*"
rabbitmqctl -q set_permissions -p logcollection logcollector ".*" ".*" ".*"

If you see any of the following messages in the federation script log, you may have issues.

Problem:
Federation script started, but the LWC service went down.
Possible Symptoms: NetWitness log shows connection failure exceptions with Windows Legacy Collector.
Solutions:
This issue is fixed automatically after restarting the Windows Legacy service.

Problem:
LWC is running, but RabbitMQ service is down or restarting.
Possible Symptoms:
Federation log file at Windows Legacy side displays an error message about RabbitMQ service being down.

The log file to look at is:
C:\NetWitness\ng\logcollector

The following error message is logged in case RabbitMQ is not running:

"Unable to connect to node logcollector@localhost: nodedown"

The following diagnostics messages are displayed:
attempted to contact: [logcollector@localhost]
logcollector@localhost:
* connected to epmd (port 4369) on localhost
* epmd reports: node 'logcollector' not running at all other nodes on localhost: ['rabbitmqctl-4084']
* suggestion: start the node
Solutions:
Run the federation.bat script manually at LWC.
To run the federate.bat script manually, perform the following steps:
1. Go to folder C:\Program Files\NwLogCollector where the Windows Legacy instance is installed.
2. Locate the file federate.bat in this folder. Select the file and right click.
3. Select Run as Administrator.
4. To monitor the log file, navigate to
  C:\NetWitness\ng\logcollector\federate.log while the federate.bat script is being executed.
Note: Make sure the log file does not show any errors while the script is being executed.

Problem:
Customer receives a Health and Wellness notification, or the following Health and Wellness Alarm is displayed:
"Communication failure between Master NetWitness Host and a Remote Host" with LWC Host as the Remote IP.
Possible Symptoms:
Federate.bat script failed to run successfully.
Solutions:
If the Federate.bat script did not run correctly, run it manually as described previously.