Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000029950 - Concentrator unable to catch up to decoder in RSA Security Analytics and NetWitness

Document created by RSA Customer Support

on Jun 14, 2016•Last modified by RSA Customer Support

on Apr 21, 2017

Version 4Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000029950
Applies To	RSA Product Set: Security Analytics, NetWitness RSA Product/Service Type: Concentrator, Decoder RSA Version/Condition: 9.8.x, 10.x
Issue	When a failed concentrator is brought back online (for reason inspecific) without its previous meta set, the concentrator may fail to reasonably catch up to the decoder due to the sheer volume of decoder data (several terabyte, for example). In circumstances such as this, a practical solution is to establish a reasonable amount of data that the concentrator will be able to consume based on time.
Resolution	Please note: changes to the timeRoll settings prunes data based on time on the decoder. Once the data is pruned it is no longer available. How to use the timeRoll parameter on a packet decoder: timeRoll will prune data in the db based on time in either hours or days. *From the SA UI (any 10.X version)* Select the explorer view on the appliance, select database. Right click on properties. On the lower section of the screen, "Properties for Decoder (decoder)/database" Click on the pulldown next to "Parameters" By default, "ls" the option, click on the pulldown and select timeRoll, example: In the parameter window, enter a database value to pass to timeRoll. Example: timeroll type=packet date=2015-30-03 ..prunes packets earlier than March 30, 2015 . Options for NwConsole (Netwitness 9.x and SA 10.X) Example 1: Roll data older than one hour: /database timeroll hours=1 type=packet ...prunes data older than 7 days Example 2: /database timeroll days=7 type=session,packet,meta Rolls data older than 7 days in session, packet and meta on the decoder. This particular setting is useful in pruning all data and applies especially well to the use case described.

Attachments

Outcomes

0 Comments

Recommended Content