Skip to content
  • There are no suggestions because the search field is empty.

Windows legacy log collection warning message System may have rolled over in RSA Netwitness

Issue

  1. The following warning messages are observed on RSA Security Analytics (SA) Log Collector /var/log/messages:
    Dec 11 09:33:29 SALOGCOLLECTOR nw[18752]: [WindowsCollection] [warning] [COLLECTORNAME.192_168_1_1] [processing] [WorkUnit] [processing] Log for channel System may have rolled over. Previous/Current record number: 536243/536247.
     
  2. Getting RSA LegacyCollector warnings:
    "read event log failed" with "err=87:msg=The parameter is incorrect"
     
  3. Followed by
    "next event record (nnn) was older than the oldest record"
     

Cause

This indicates an attempt to retrieve a windows event log message that is no longer present on the windows server itself. It is most likely seen when the Windows event log messages have been deleted from the Windows server before the SA Log Collector can retrieve it.


Resolution

Below are some suggested solutions for this scenario:
  1. Typically, the Windows Server event viewer Properties is set to "Overwrite events as needed (oldest events first)" with a "maximum log size (KB)".   Confirm the "Overwrite events as needed (oldest events first)" is been used, and increase the "maximum log size (KB)" to keep the Windows event log for longer.
    height=429
     
  2. Option #1 will not, however, solve the issue if the SA Log Collector can't or isn't configured to collect the logs fast enough. If option #1 does not rectify the situation, increase the collection rate for problem windows server in the SA GUI, Administration -> Services -> {Log Collector} -> Config
    Event Sources tab
    Select Windows and Config in the dropdown boxes.
    Edit the problem Event Category, and open the Advanced
    Look to increase the value for parameters: Max Duration Poll, and Max Events Per Cycle
    Look to decrease the value for parameter: Polling Interval

    Where setting:

    Max Events Per Cycle = 0, Log Collector will collect as many events as it can in the Max Duration Poll time.
    Polling Interval = -1, Log Collector will disable any pause between collection cycles.

    height=347
     
  3. Alternately be certain to check each of the hosts, and be certain to set Debug to Off.  This issue can be introduced by Debug being set to On or Verbose, and will slow down the ability to collect Windows event logs.
    height=361

Product Details

RSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Windows Legacy Collector
RSA Version/Condition: 10.6.x
Platform: CentOS 6
Platform (Other): Microsoft Windows

Summary

The following article describes what causes the warning message System may have rolled over' when employing SA legacy log collection.


Approval Reviewer Queue

RSA NetWitness Suite Approval Queue