|Applies To||RSA Security Analytics|
RSA Security Analytics 10.3
RSA Security Analytics Archiver
RSA Security Analytics Log Decoder
|Issue||Archiver does not aggregate new sessions in real-time in RSA Security Analytics 10.3.x.|
Archiver does not aggregate new session in real time. The Aggregate Devices tab in the Archiver configuration screen shows a rate of 0 and the status consuming.
No data is being written to the Archiver's database folder.
Archiver will start to aggregate again if either of following action is performed:
After aggregation completes, Archiver does not consume anything else until the actions above are performed.
This is not an issue or a bug, but instead is a reflection of the Archiver's 'nice' aggregation feature.
By default, aggregate.nice is set to 1 (enabled). This option indicates that Archiver will NOT aggregate the latest packet/meta/sessions files from Logdecoder unless Logdecoder has finished the files and marked them read-only.
|Resolution||In order to let Archiver aggregate close to real-time, set /archiver/config/aggregate.nice=0 in the Explore view for the device. Doing so will ensure that Archiver will always aggregate new data from the Log Decoder.|
|Notes||There is a performance consideration in setting aggregate.nice=1, to allow the Logdecoder to simultaneously serve the Archiver/Warehouse Connector/Concentrator.|
|Legacy Article ID||a67531|