RSA enVision NIC Windows Service stopped working
4 years ago
Originally Published: 2015-09-28
Article Number
000059434
Applies To
RSA Product Set: enVision
RSA Product/Service Type: enVision Core
RSA Version/Condition: 4.1 SP1 
Platform: Windows
O/S Version: 2008R2/2003
Product Description: RSA enVision ES/LS
Issue

  • When storage locations for enVision single appliance "ES" or Multi-appliance environment 
    "LS"  run out of storage-space, enVision NIC-related services get's shut-down through "pi_diskusage" exe file.

  • Upon clearing out the storage problem and starting back NIC-services the collection for NIC Windows service/Agent-less service will not resume it's pulling of logs from MS windows servers normally. 


 

Cause
  •  Storage location  runs out of free-space, hence collection services get's disrupted. 
  •  enVision  not pulling logs from MS Windows-based servers. 
Resolution
Re-create a new .POS "position" file:
 
  1. POS file hosts the UTC and records ID of the last collected event(s) for the MS-windows  2003/2008 servers integrated with RSA enVision. 
  2. POS file paths:
  • For single-appliance [ES] "POS file will be stored locally on the server":
 Path: E:\nic\csd\config\iwndows\lonely\pos
  • For Multi-appliance [LS] "POS file will be stored over the NAS storage":
  Path: \\NAS IP\\vol0\nic\csd\config\windows\LC1\pos
 
3. Based on your "RSA enVision" setup [ES or LS], delete the "POS" file from the above mentioned paths.

4. Restart NIC Service Manager & NIC Windows Service on your ES appliance or on your "LC" collector in case of an LS multi-appliance environment. 

5. Go to the path where the POS is stored and notice that a new POS has been created. 

6. On your GUI, Go to Analysis tab > event viewer > message view and you will be able to see real-time logs indicating that NIC Windows service has started back pulling events from your MS Windows Server(s). 
Don't see what you're looking for?