|Applies To||RSA Product Set: NetWitness and Security Analytics|
RSA Product/Service Type: Core Appliance
|Issue||When reviewing log files reported on an RSA NetWitness appliance you see a message similar to the following: Meta Procession Failed for session x : Max Meta Reached|
In Security Analytics in the alert meta key "parser error: max meta reached" is seen when investigating.
|Cause||This is because a single session can only have approximately 8000 meta values associated with it. Therefore the message is not really an indication of any failure, it is a notification that the 8000 cap has been hit and no additional meta values will be parsed for that session.|
|Resolution||This is configured under decoder service explorer view /decoder/parsers/config/session.meta.max=8192 (default) in RSA NetWitness Administrator.|
A TCP session begins after the three way handshake and ends when the connection is reset. If the connection is a long and persistent connection that is always open and passing data, then eventually the maximum meta for the session will be reached.
The amount of meta generated also depends upon the number of parsers deployed. Any duplicate parsers (such as both flex and LUA parsers) should be disabled. The flex parser can be disabled.
Sessions that have the max meta reached will be tagged within the alert meta key with "parse error: max meta reached" which helps identify what traffic is causing this behaviour.
|Legacy Article ID||a58597|