000017884 - Error message "xfs_log_force: error 5" is reported on an RSA Security Analytics appliance

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Sep 26, 2019
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000017884
Applies ToRSA Product Set: Security Analytics, NetWitness Logs & Network
RSA Product/Service Type: Decoder, Log Decoder, Concentrator, Hybrid, Broker
RSA Version/Condition: 10.3.x, 10.4.x, 10.5.x, 10.6.x
Platform: CentOS
O/S Version: 6
IssueThe /var/log/messages file reports an error similar to the following:

Filesystem dm-7: xfs_log_force: error 5 returned.


The appliance services are unable to start.
Resolution

In order to resolve the issue, follow the steps below.



  1. Connect to the appliance via SSH as the root user.
     
  2. Shutdown the nwdecoder and/or nwconcentrator services with the following command:

    stop <service>

  3. Issue the df -h command.
     
  4. Record the filesystem locations for the following mount points:
    • /var/netwitness/concentrator/sessiondb
    • /var/netwitness/concentrator/index
    • /var/netwitness/concentrator/metadb
    • /var/netwitness/concentrator
  5. Issue the following commands:

    # umount /var/netwitness/concentrator/sessiondb
    # umount /var/netwitness/concentrator/index
    # umount /var/netwitness/concentrator/metadb
    # umount /var/netwitness/concentrator

  6. Issue the df -h command again to ensure that the devices have been successfully unmounted.  The unmounted systems should no longer appear when issuing the command.
  7. Navigate to the /dev/mapper directory with the following command:

    # cd /dev/mapper

  8. Issue the following command:

    # ls -l

  9. Run the following command against each filesystem recorded in Step 4:

    # xfs_repair <filesystem_location>

  10. If xfs_repair finds an error, run the command again against the same filesystem until it no longer finds any errors.
     
  11. Mount all partitions with the following command:

    # mount -a

  12. Start the nwdecoder and/or nwconcentrator services with the following command:

    # start <service>


 



If this does not solve your issue, please open a case with RSA Technical Support and reference this article so that we may better assist you.

Legacy Article IDa67104

Attachments

    Outcomes