000039470 - RSA NetWitness Concentrator fails to start aggregation due to an invalid rule

Document created by RSA Customer Support Employee on Dec 3, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000039470
Applies ToRSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Concentrator
RSA Version/Condition: 11.4.x, 11.5.x
Platform: CentOS
O/S Version: 7
 
IssueConcentrator's Config page shows 'consuming' status but the rate remains at 0 with a high session behind the count. Clicking the 'Start Aggregation' button does not start the aggregation.

/var/log/messages show an error like below.

Nov 25 22:50:11 Concentrator NwConcentrator[1762]: [Data] [failure] rule: expected a comma-separated list of quoted string ranges or values or a comma-separated list of keys
Nov 25 22:50:11 Concentrator  NwConcentrator[1762]: [Data] [failure] Throw in function nw::CorrelationDefinition nw::{anonymous}::parseCorrelationRule(nw::CorrLang&, const nw::StringParams&)Dynamic exception type: boost::exception_detail::clone_impl<nw::LogicError>std::exception::what: rule: expected a comma-separated list of quoted string ranges or values or a comma-separated list of keys[boost::errinfo_at_line_*] = 575
Nov 25 22:50:11 Concentrator  NwConcentrator[1762]: [Thread] [info] Stopped thread: Correlation Work  id: 3439
Nov 25 22:50:11 Concentrator  NwConcentrator[1762]: [Aggregation] [info] Aggregation has started


 
CauseThe aggregation will not start when the concentrator service has one or more of Correlation Rules with invalid syntax.
Browsing to Concentrator->Config->Correlation Rules tab will show rules that have deprecated or invalid syntax.
ResolutionIn order to resolve the issue, please perform the following.
  1. Stop the concentrator service
    systemctl stop nwconcentrator
  • Make a backup of the current NwConcentrator.cfg file.
    cp /etc/netwitness/ng/NwConcentrator.cfg /root/
     
  • Modify NwConcentrator.cfg to remove the invalid Correlation Rule(s).
    vi /etc/netwitness/ng/NwConcentrator.cfg
    Note: The Correlation Rules are located under the following line.
    <folder name="correlation" instance="folder">
     
  • Start the concentrator service.
    systemctl start nwconcentrator

Attachments

    Outcomes