000017707 - Archiver does not aggregate new sessions in real-time in RSA Security Analytics 10.3.x

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017707
Applies ToRSA Security Analytics
RSA Security Analytics 10.3
RSA Security Analytics Archiver
RSA Security Analytics Log Decoder
IssueArchiver does not aggregate new sessions in real-time in RSA Security Analytics 10.3.x.
Archiver does not aggregate new session in real time. The Aggregate Devices tab in the Archiver configuration screen shows a rate of  0 and the status consuming.
No data is being written to the Archiver's database folder.

Archiver will start to aggregate again if either of following action is performed:

  • The Log Decoder is toggled to offline then online again.
  • The Log Decoder service itself is restarted. The device is then toggled back online (after the nwlogdecoder service restart, it shows up as offline on the Archiver config page).

After aggregation completes, Archiver does not consume anything else until the actions above are performed.

Cause

This is not an issue or a bug, but instead is a reflection of the Archiver's 'nice' aggregation feature.

By default, aggregate.nice is set to 1 (enabled). This option indicates that Archiver will NOT aggregate the latest packet/meta/sessions files from Logdecoder unless Logdecoder has finished the files and marked them read-only.

ResolutionIn order to let Archiver aggregate close to real-time, set /archiver/config/aggregate.nice=0 in the Explore view for the device.  Doing so will ensure that Archiver will always aggregate new data from the Log Decoder.
NotesThere is a performance consideration in setting aggregate.nice=1, to allow the Logdecoder to simultaneously serve the Archiver/Warehouse Connector/Concentrator.
Legacy Article IDa67531

Attachments

    Outcomes