000011616 - NIC System Message %NIC-3-604103

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000011616
Applies ToEnvision (All Currently Supported Versions)
NIC System Message 604103
IssueNIC System Message %NIC-3-604103
User seeing NIC System Messages periodically. What do they mean and is this a cause for concern?
Resolution
The message ?Unable to write to shared memory? can occur for a couple of different reasons, and it does not necessarily mean there is a problem.
As each collection service (NIC File Reader, NIC Trapd service, NIC Windows Service, etc.) processes it?s type of data (flat files for NIC File Reader service, Windows Events for the NIC Windows service, etc.) they write those messages in Syslog format to an area of memory that is shared with the NIC Collector. When cycles are free, the NIC Collector reads from the Shared Memory buffer and writes the respective events to their corresponding nugget files.
If the NIC Collector goes down for some reason, the buffer will eventually fill, and you would see the ?Unable to write to shared memory? messages for all of your collection services, not just a specific one (like File Reader). Additionally, you would also be able to see that the NIC Collector wasn?t working right as you wouldn?t have any events being processed. In this respect, NIC System message 604103 is an indicator of a problem (Your NIC Collector is not working properly) and is confirmed by seeing that no new nugget files are being created.
More often than not, ?Unable to write to shared memory? is in indicator that your data has been throttled as opposed to their being a problem. This usually occurs when you process large sets of messages (like a Bluecoat log through the NIC File Reader service).
Per local collector in a distributed site (LS or LS-EA), the maximum licensed value is 10,000 EPS (Events Per Second). Of that 10,000, only 70% by default is available for collection services other than standard Syslog traffic that comes in through the NIC Collector directly. This is done intentionally to insure that the NIC Collector is able to process, to the best of its ability, all of the incoming UDP traffic which cannot be recovered if not processed in time. All other traffic (IE. what is waiting in Shared Memory) is secondary because the other collections mechanisms are designed to recover gracefully.
For any given period, if the Shared Memory buffer is full and the NIC Collector is still processing data, you?ll see the ?Unable to write to shared memory message?.
What those other collection services do when they see ?Unable to write to shared memory? is wait a small period of time to give the NIC Collector and opportunity to free up some space in the buffer and then try to add to the buffer again.
If you have confirmed that collection is working, ?Unable to write to shared memory? is in indicator that you are processing a lot of data for the given event source or collection type. Collection for those messages will be delayed slightly, but you will eventually process all of the messages.
Once the messages are finished processing (assuming you have low and high traffic periods), you should see that NIC System message 604103 stops generating.
Legacy Article IDa63487

Attachments

    Outcomes