000017541 - RSA Security Analytics decoder module failed to load

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017541
Applies ToRSA Security Analytics
RSA Security Analytics Decoder
RSA NetWitness NextGen
IssueRSA Security Analytics decoder module failed to load.
The Decoder is displaying an initialization error.

The /var/log/messages file displays errors similar to the following:



Jun 23 16:44:50 nwdecoder-01 nw[2907]: [Engine] [warning] Module decoder failed to load. Diagnostic information: Throw in function bool nw::ObjectStoreDatabase<ObjectT, IndexHeaderT, MutexT>::openNl(const DbStorageLocations&, const string&, const string&, nw::uint32, nw::uint32&) [with ObjectT = nw::PacketData; IndexHeaderT = nw::NullObjectStoreIndexHeader<nw::PacketData>; MutexT = boost::mutex; nw::DbStorageLocations = std::vector<nw::DbDirectory>; std::string = std::basic_string<char>; nw::uint32 = unsigned int]Dynamic exception type: boost::exception_detail::clone_impl<boost::unknown_exception>std::exception::what: std::exception[boost::errinfo_at_line_*] = 171[boost::tag_original_exception_type*] = N2nw10LogicErrorE
Jun 23 16:44:50 nwdecoder-01 nw[2907]: [stats] [info] Found 20 files (588.01 MB) when loading /var/netwitness/decoder/statdb of max size 1 GB
Jun 23 16:44:50 nwdecoder-01 nw[2907]: [stats] [warning] Database stats is missing objects from 20331457 to 20331460. The gap exists between object store "/var/netwitness/decoder/statdb/stats-000000251.statsdb" and "/var/netwitness/decoder/statdb/stats-000000252.statsdb".


Resolution

In order to resolve the issue, you should first check to ensure that the hostname is correct in both the /etc/hosts file and the /etc/sysconfig/network file.  Next, you must ensure that the packet.dir parameter is defined correctly with the right file path and that there are no spaces.  This can be done following one of the two methods below.


Method #1


  1. Connect to the decoder appliance via SSH as the root user.
  2. Stop the decoder service with the following command:  stop nwdecoder
  3. Use the VI editor to modify the NwDecoder.cfg file by issuing the following command:  vi /etc/netwitness/ng/NwDecoder.cfg
  4. Search for the Packet Database Directory entry and modify the line to ensure that it matches the portion of the example below that is marked in red.
         <config getRoles="database.manage" instance="config" maxLength="4096" name="packet.dir" prettyName="Packet Database Directory" setRoles="database.manage" value="/var/netwitness/decoder/packetdb=98.74 GB"/>
  5. Save the configuration file.
  6. Start the decoder service with the following command:  start nwdecoder

 


Method #2


  1. Stop the decoder service via SSH (see Step 2 of the section above) or via the Security Analytics UI.
  2. In the Security Analytics UI, navigate to Administration -> Devices.
  3. Select the decoder appliance and click on View -> Explore.
  4. Navigate to database -> config in the directory tree.
  5. Ensure that the packet.dir is defined correctly with the proper file path and make changes as necessary.
  6. Start the decoder service via SSH or the Security Analytics UI.

 


If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.

Legacy Article IDa66637

Attachments

    Outcomes