.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Issue
When Resolve SIDs option is enabled, Windows Collection is delayed for the particular event source until the SID enumeration completes.
The following messages are logged for the event source until the SID enumeration completes.
Nov 30 07:30:35 LOGCOLLECTOR NwLogCollector[80560]: [WindowsCollection] [info] [Domain_Controllers_Security3.10_10_20_2] Got 500 SIDs
Nov 30 07:47:21 LOGCOLLECTOR NwLogCollector[80560]: [WindowsCollection] [info] [Domain_Controllers_Security2.10_10_20_2] Got 500 SIDs
Nov 30 07:47:21 LOGCOLLECTOR NwLogCollector[80560]: [WindowsCollection] [info] [Domain_Controllers_Security1.10_10_20_2] Got 500 SIDs
...
Nov 30 07:47:21 LOGCOLLECTOR NwLogCollector[80560]: [WindowsCollection] [info] [Domain_Controllers_Security2.10_10_20_2] Got 500 SIDs
Nov 30 07:47:21 LOGCOLLECTOR NwLogCollector[80560]: [WindowsCollection] [info] [Domain_Controllers_Security1.10_10_20_2] Got 500 SIDs
...
Depending on the size of the domain, this process can take several hours hence causing a delay in receiving critical events in time.
Resolution
In order to eliminate the delay caused by SID enumeration, please disable Resolve SIDs option for the event source.SID enumeration can be turned off because for most security events the SIDs will be already translated in the message by Windows.
To ensure the SIDs are translated, check the raw logs and also meta detail for the sessions collected after disabling Resolve SIDs and confirm the hostname and domain name exist.
Internal Comments
The information on SIDs translation is provided Con O'Donnell.Product Details
RSA Product Set: NetWitness Logs & NetworkRSA Product/Service Type: Log Collector
RSA Version/Condition: 10.x, 11.x
Platform: CentOS
O/S Version: 6, 7
Approval Reviewer Queue
RSA NetWitness Suite Approval Queue