000032517 - RSA Security Analytics - Aggregation doesn't start on a newly added concentrator because of wrong entries in NwBroker.cfg

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000032517
Applies ToRSA Product Set: RSA Security Analytics
RSA Product/Service Type: Concentrator
RSA Version/Condition: 10.5
Platform: CentOS
Platform (Other): NA
O/S Version: EL6

 
IssueAggregation doesn't start on a newly added concentrator because of wrong entries in NwBroker.cfg.
The below error message appears in /var/log/messages of concentrator:
 
Jan 18 07:01:34 SASRV NwBroker[4331]: [Aggregation] [failure] Failed to complete device '10.192.6.16:50005' because MergeInfo failed because local data from device '10.192.6.16:50005' was invalid. Device returned lsStart:1 lsEnd:3678 lmStart:1 lmEnd:29424 last:0. Device aggregation is being stopped. 
Jan 18 07:01:34 SASRV NwBroker[4331]: [Broker] [info] Device '10.192.6.16:50005' mapping file saved 
Jan 18 07:01:34 SASRV NwBroker[4331]: [Thread] [info] Stopped thread: Aggregation State Schedule 10.192.6.16:50005 id: 43300 
Jan 18 07:02:04 SASRV python: update-federation-links.py: No changes needed
CauseIn /var/netwitness/ng/NwBroker.cfg, you will find two entries for the concentrator with different port numbers and aggregation doesn't start.
 
<folder instance="folder" name="10.192.6.16:50005" prettyName="10.192.6.16:50005"> 
<folder instance="folder" name="10.192.6.16:56005" prettyName="10.192.6.16:56005"> 
ResolutionTo resolve this issue, follow the below instructions:
       1. Remove the concentrator service from Administration->Services->Config View of Broker->Aggregate Services.



       2. Delete both entries for the corresponding concentrator from /var/netwitness/ng/NwBroker.cfg as below:
  • <folder instance="folder" name="recovery" prettyName="recovery"> 
  • <folder instance="folder" name="10.192.6.16:50005" prettyName="10.192.6.16:50005"> 
  • <config getRoles="" instance="config" maxLength="4096" name="device.invalid.sessions" prettyName="device.invalid.sessions" setRoles="" value=""/> 
  • </folder> 
  • <folder instance="folder" name="10.192.6.16:56005" prettyName="10.192.6.16:56005"> 
  • <folder instance="folder" name="10.192.6.16:56005" prettyName="10.192.6.16:56005"> 
  • <config getRoles="" instance="config" maxLength="4096" name="device.invalid.sessions" prettyName="device.invalid.sessions" setRoles="" value=""/> 
  • </folder> 
 

       3. Restart the nwbroker service
  •    service nwbroker restart
      4. Add the concentrator service back to  Administration-> Services-> Config View of Broker-> Aggregate Services.

Attachments

    Outcomes