000031178 - Error message "No Log Data" when attempting to view logs on an RSA Security Analytics Log Decoder

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000031178
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Log Decoder
RSA Version/Condition: 10.4.x
Platform: CentOS
O/S Version: EL6
IssueThe error message "No Log Data" is displayed when attempting to view logs on an RSA Security Analytics Log Decoder.
The Log Decoder also does not appear to be consuming logs.
CauseThis issue occurs because the /var/netwitness/logdecoder/cache directory is filled and exceeds the default size of 4GB, which fill the Log Decoder disk space.
WorkaroundThe following steps are needed to be done in order to resolve this issue:
  1. Log into the Security Analytics UI and navigate to Administration -> Services.
  2. Select the Log Decoder, click on the red Actions button, and select View -> Explore.
  3. Right-click on the sdk node and select Properties.
  4. Select delCache from the drop down menu and click the Send as shown below.  This will delete all .nwd files under /var/netwitness/logdecoder/cache.
    User-added image
  5. In the same Explore view, navigate to the LDecoder -> SDK ->config node.
  6. Modify the cache.size value from default the default 4GB to 5GB.
    User-added image
  7. Change the value back again to the original value of 4 GB.  The changes will take effect immediately. ( no service restart needed)
After making these changes, the issue should be resolved.
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.