000031178 - Error message "No Log Data" when attempting to view logs on an RSA Security Analytics Log Decoder

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jan 28, 2020
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000031178
Applies ToRSA Product Set: NetWitness Platform
RSA Product/Service Type: Log Decoder
RSA Version/Condition: 11.x
Platform: CentOS
O/S Version: EL6
IssueThe error message "No Log Data" is displayed when attempting to view logs on an RSA Security Analytics Log Decoder.
The Log Decoder also does not appear to be consuming logs.
CauseThis issue occurs because the /var/netwitness/logdecoder/cache directory is filled and exceeds the default size of 4GB, which fill the Log Decoder disk space.
WorkaroundThe following steps must be done in order to resolve this issue:
  1. Log into the Security Analytics UI and go to Administration -> Services.
  2. Select the Log Decoder, click the red Actions button, and select View -> Explore.
  3. Right-click on the sdk node, and select Properties.
  4. Select delCache from the drop-down menu and click the Send as shown below. This deletes all .nwd files under /var/netwitness/logdecoder/cache.
    User-added image
  5. In the same Explore view, go to the LDecoder -> SDK ->config node.
  6. Modify the cache.size value from default the default 4 GB to 5 GB.
    User-added image

  7. Change the value back again to the original value of 4 GB.  The changes take effect immediately. (no service restart needed)
After applying those changes, the issue should be resolved.

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.