000017629 - Error message 'Max Meta Reached' reported on an RSA NetWitness or Security Analytics appliance

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017629
Applies ToRSA Product Set: NetWitness and Security Analytics
RSA Product/Service Type: Core Appliance
IssueWhen reviewing log files reported on an RSA NetWitness appliance you see a message similar to the following:  Meta Procession Failed for session x : Max Meta Reached
In Security Analytics in the alert meta key "parser error: max meta reached" is seen when investigating.
CauseThis is because a single session can only have approximately 8000 meta values associated with it.  Therefore the message is not really an indication of any failure, it is a notification that the 8000 cap has been hit and no additional meta values will be parsed for that session. 
ResolutionThis is configured under decoder service explorer view /decoder/parsers/config/session.meta.max=8192 (default) in RSA NetWitness Administrator.
A TCP session begins after the three way handshake and ends when the connection is reset. If the connection is a long and persistent connection that is always open and passing data, then eventually the maximum meta for the session will be reached.
The amount of meta generated also depends upon the number of parsers deployed. Any duplicate parsers (such as both flex and LUA parsers) should be disabled. The flex parser can be disabled.

Sessions that have the max meta reached will be tagged within the alert meta key with "parse error: max meta reached" which helps identify what traffic is causing this behaviour.

Legacy Article IDa58597