000032749 - RSA Security Analytics Throttle Remote Collector to Local Collector Bandwidth Errors

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Apr 17, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000032749
Applies ToRSA Product Set: Security Analytics, NetWitness Logs & Network
RSA Product/Service Type: Log Collector
RSA Version/Condition: 10.6.x, 11.0.x.
IssueBandwidth throttling configuration changes to control the rate that the Remote Collector sends event data to a Local Collector do not persist after a reboot.
CauseThe set-shoveltransfer-limit.sh script is used to set the bandwidth throttle for event data transferred from a remote collector to local collector.

The script uses both iptables rules and Linux kernel traffic shaping filters to control the upload bandwidth used by the RabbitMQ port on transfers to an upstream collector.
The script works correctly when executed, but fails to persist the traffic shaping filter values once the appliance is rebooted.
ResolutionThis issue is fixed in NetWitness
Please consider upgrading to NetWitness 11.1 or later to resolve the issue.
WorkaroundAdd the script execution to the /etc/rc.local on the remote collector, as shown in the following example:

“/opt/netwitness/bin/set-shovel-transfer-limit.sh -s -r 4096kbit”