000032949 - RSA Security Analytics Decoder retains more packet data than session or meta.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000032949
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Core Appliance
RSA Version/Condition:
IssueThe decoder on a hybrid decoder/concentrator is reporting that it is retaining more packet data then session or Meta. Shouldn't it be the opposite?
ResolutionThe session and meta only exist long enough for the concentrator to consume them. There is enough space on the decoder of session and meta to run if there is an outage of the concentrator. That way when the concentrator comes back online it can pick up where it left off.
When you investigate the concentrator it refers to its own session and meta even on a hybrid.
When you investigate the decoder your queries are on the raw packets and not the session and meta - you should have more retention of packet data on the decoder.
What you'll want to do is verify the retention of session and meta on the concentrator and compare that with the retention you have for decoder packets.