RSA Security Operations Management not aggregating Events properly when using Syslog
Originally Published: 2016-09-07
Article Number
Applies To
RSA Product/Service Type: SecOps
RSA Version/Condition: 1.3
Platform: Windows
Issue
2. Change the Incident Status field value from "New" to any other value (Assigned for example).
3. Save the Incident Record.
4. Notice when additional Security Events and/or Alerts come through, a new Security Incident is not created.
5. Notice that the Security Event is created but is not associated to any Security Alert or Security Incident.
Here is an example of the error reported in the Collector.log file:
14 Mar 2016 15:46:28,909 | ERROR - AbstractStep.execute(225) | Encountered an error executing step sendSylogIncidentToArcher in job pushSyslogEvents com.rsa.connector.framework.components.datastore.archer.exception.ArcherComunicationException: javax.xml.ws.soap.SOAPFaultException: Server was unable to process request. ---> The content XXXXXX in field Security Alerts violates the maximum value of 1 established in the related field. The content XXXXXXX in field Security Alerts violates the maximum value of 1 established in the related field. at com.rsa.srm.collector.messaging.batch.SyslogIncidentAddedTasklet.executeMessage(SyslogIncidentAddedTasklet.java:229) at com.rsa.srm.collector.messaging.batch.SyslogIncidentAddedTasklet.parseMessage(SyslogIncidentAddedTasklet.java:157) at com.rsa.srm.collector.messaging.batch.SyslogIncidentAddedTasklet.execute(SyslogIncidentAddedTasklet.java:121) at org.springframework.batch.core.step.tasklet.TaskletStep$ChunkTransactionCallback.doInTransaction(TaskletStep.java:406) at org.springframework.batch.core.step.tasklet.TaskletStep$ChunkTransactionCallback.doInTransaction(TaskletStep.java:330) at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:133) at org.springframework.batch.core.step.tasklet.TaskletStep$2.doInChunkContext(TaskletStep.java:271) at org.springframework.batch.core.scope.context.StepContextRepeatCallback.doInIteration(StepContextRepeatCallback.java:77) at org.springframework.batch.repeat.support.RepeatTemplate.getNextResult(RepeatTemplate.java:368) at org.springframework.batch.repeat.support.RepeatTemplate.executeInternal(RepeatTemplate.java:215) at org.springframework.batch.repeat.support.RepeatTemplate.iterate(RepeatTemplate.java:144) at org.springframework.batch.core.step.tasklet.TaskletStep.doExecute(TaskletStep.java:257) at org.springframework.batch.core.step.AbstractStep.execute(AbstractStep.java:198) at org.springframework.batch.core.job.SimpleStepHandler.handleStep(SimpleStepHandler.java:148) at org.springframework.batch.core.job.flow.JobFlowExecutor.executeStep(JobFlowExecutor.java:64) at org.springframework.batch.core.job.flow.support.state.StepState.handle(StepState.java:67) at org.springframework.batch.core.job.flow.support.SimpleFlow.resume(SimpleFlow.java:165) at org.springframework.batch.core.job.flow.support.SimpleFlow.start(SimpleFlow.java:144) at org.springframework.batch.core.job.flow.FlowJob.doExecute(FlowJob.java:134) at org.springframework.batch.core.job.AbstractJob.execute(AbstractJob.java:304) at com.rsa.srm.collector.batch.PasswordAwareSimpleJobLauncher$1.run(PasswordAwareSimpleJobLauncher.java:99) at org.springframework.core.task.SyncTaskExecutor.execute(SyncTaskExecutor.java:50) at com.rsa.srm.collector.batch.PasswordAwareSimpleJobLauncher.run(PasswordAwareSimpleJobLauncher.java:93) at com.rsa.srm.collector.syslog.listener.SyslogMessageHandler$QueueWorker.executeWorkflow(SyslogMessageHandler.java:170) at com.rsa.srm.collector.syslog.listener.SyslogMessageHandler$QueueWorker.run(SyslogMessageHandler.java:157) Caused by: javax.xml.ws.soap.SOAPFaultException: Server was unable to process request. ---> The content 318493 in field Security Alerts violates the maximum value of 1 established in the related field. The content XXXXXXX in field Security Alerts violates the maximum value of 1 established in the related field. at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:158) at com.sun.proxy.$Proxy76.createRecord(Unknown Source) at com.rsa.connector.framework.components.datastore.archer.ArcherWSHelper$CreateRecordCallback.call(ArcherWSHelper.java:721) at com.rsa.connector.framework.components.datastore.archer.ArcherWSHelper.callArcher(ArcherWSHelper.java:399) at com.rsa.connector.framework.components.datastore.archer.ArcherWSHelper.createRecord(ArcherWSHelper.java:324) at com.rsa.connector.framework.components.datastore.archer.ArcherWSHelper.writeRecord(ArcherWSHelper.java:290) at com.rsa.connector.framework.components.datastore.archer.ArcherWSHelper.createRecord(ArcherWSHelper.java:213) at com.rsa.connector.framework.components.datastore.archer.ArcherDataStore.putData(ArcherDataStore.java:594) at com.rsa.connector.framework.components.datastore.archer.ArcherDataStore.handleData(ArcherDataStore.java:443) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157) at org.springframework.aop.framework.adapter.AfterReturningAdviceInterceptor.invoke(AfterReturningAdviceInterceptor.java:52) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:92) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:207) at com.sun.proxy.$Proxy28.handleData(Unknown Source) at com.rsa.srm.collector.messaging.batch.SyslogIncidentAddedTasklet.executeMessage(SyslogIncidentAddedTasklet.j
Cause
Resolution
2. Upgrade to SecOps 1.3.1
Related Articles
Access Fulfillment Express (AFX) Workflow does not automatically execute when there is no approval phase in RSA Identity G… Number of Views Poodle Bite Sandworm .Net MS14-057 OpenSSL Vulnerabilities and Impact in RSA products Number of Views Where are RSA SecurID hardware tokens manufactured? Number of Views Apache Struts 2 Remote Code Execution Vulnerability (CVE-2018-11776): Impact on RSA products Number of Views Forward syslog messages in RSA Authentication Manager 8.0 through 8.3 Number of Views
Don't see what you're looking for?
