000017707 - Archiver does not aggregate new sessions in real time in RSA NetWitness Platform

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Feb 11, 2020
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000017707
Applies ToRSA Product Set: NetWitness Platform, Security Analytics
RSA Product/Service Type: Concentrator, Packet Hybrid, Log Hybrid, Broker, Archiver
RSA Version/Condition: 9.8, 10.1.x, 10.2.x, 10.3.x, 10.4.x, 10.5.x, 10.6.x,11.x
IssueArchiver does not aggregate new sessions in real-time. The Aggregate Devices tab in the Archiver configuration screen shows a rate of 0 and the status consuming.
No data is being written to the Archiver's database folder.

The archiver starts to aggregate again if either of the following action is performed:



  • The Log Decoder has switched to offline then online again.
  • The Log Decoder service itself is restarted. The device is then switched back online (after the nwlogdecoder service restart, it shows up as offline on the Archiver config page).

After aggregation completes, Archiver does not consume anything else until the actions above are performed.

Cause

This is not an issue or a bug, but instead is a reflection of the Archiver's 'nice' aggregation feature.



By default, aggregate.nice is set to 1 (enabled). This option indicates that Archiver will NOT aggregate the latest packet/meta/sessions files from Logdecoder unless Logdecoder has finished the files and marked them read-only.

ResolutionIn order to let Archiver aggregate close to real-time, set /archiver/config/aggregate.nice=0 in the Explore view for the device.  Doing so ensures that Archiver will always aggregate new data from the Log Decoder.
NotesThere is a performance consideration in setting aggregate.nice=1, to allow the Logdecoder to simultaneously serve the Archiver/Warehouse Connector/Concentrator.
Legacy Article IDa67531

Attachments

    Outcomes