|Applies To||RSA Product Set: Security Analytics, NetWitness Logs & Network|
RSA Product/Service Type: Decoder, Log Decoder, Concentrator, Hybrid, Broker
RSA Version/Condition: 10.3.x, 10.4.x, 10.5.x, 10.6.x
O/S Version: 6
In order to resolve the issue, follow the steps below.
- Connect to the appliance via SSH as the root user.
- Shutdown the nwdecoder and/or nwconcentrator services with the following command:
- Issue the df -h command.
- Record the filesystem locations for the following mount points:
- Issue the following commands:
# umount /var/netwitness/concentrator/sessiondb
# umount /var/netwitness/concentrator/index
# umount /var/netwitness/concentrator/metadb
# umount /var/netwitness/concentrator
- Issue the df -h command again to ensure that the devices have been successfully unmounted. The unmounted systems should no longer appear when issuing the command.
- Navigate to the /dev/mapper directory with the following command:
# cd /dev/mapper
- Issue the following command:
# ls -l
- Run the following command against each filesystem recorded in Step 4:
# xfs_repair <filesystem_location>
- If xfs_repair finds an error, run the command again against the same filesystem until it no longer finds any errors.
- Mount all partitions with the following command:
# mount -a
- Start the nwdecoder and/or nwconcentrator services with the following command:
# start <service>
If this does not solve your issue, please open a case with RSA Technical Support and reference this article so that we may better assist you.