000030561 - Some rule executions against SA Core/NWDB data sources can fail in RSA Security Analytics 10.5

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000030561
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Reporting Engine, Core Appliance
RSA Version/Condition: 10.5.x
Platform: CentOS
O/S Version: EL6
IssueNWDB Rule/Report execution fails with error Message as "std::bad_alloc" when executed against Concentrator Datasources.
User-added image

Review the Reporting Engine logs (reporting-engine.log) to for items similar to the examples below to identify potential problems.

2015-03-19 04:07:46,390 [EXEC_RUNDEF_153_20150319035604/Query Without Aggregates] ERROR com.rsa.soc.datasource.nextgen.nw.service.impl.NwCoreResponseMessage - com.rsa.netwitness.carlos.transport.TransportException: std::bad_alloc
2015-03-19 04:07:46,391 [EXEC_RUNDEF_153_20150319035604/Query Without Aggregates] INFO com.rsa.soc.datasource.nextgen.nw.query.NwQueryHandler - Nw query handler successfully closed.
2015-03-19 04:07:46,391 [EXEC_RUNDEF_153_20150319035604/Query Without Aggregates] ERROR com.rsa.soc.re.queryprocessor.mina.QueryExecutor - Error executing query for execid= EXEC_RUNDEF_153_20150319035604 ruleId= RULE_60_20150318231627
com.rsa.soc.datasource.DataSourceException: Error occurred while fetching data from source ' - CONC[]'. Error details : std::bad_alloc.
at com.rsa.soc.datasource.nextgen.nw.service.impl.NwCoreResponseMessage.throwDSException(NwCoreResponseMessage.java:232)
at com.rsa.soc.datasource.nextgen.nw.service.impl.NwCoreResponseMessage.getResult(NwCoreResponseMessage.java:70)
at com.rsa.soc.datasource.nextgen.nw.service.impl.NwCoreResponseMessage.getResult(NwCoreResponseMessage.java:25)
at com.rsa.soc.datasource.nextgen.nw.query.NwQueryHandler.fetchQueryResult(NwQueryHandler.java:659)
at com.rsa.soc.datasource.nextgen.nw.query.NwQueryHandler.fetchResultInBatch(NwQueryHandler.java:579)
at com.rsa.soc.datasource.nextgen.nw.query.NwQueryHandler.getQueryResultAsRowSet(NwQueryHandler.java:542)
at com.rsa.soc.datasource.nextgen.nw.query.NwQueryHandler.getResult(NwQueryHandler.java:170)
at com.rsa.soc.re.queryprocessor.mina.QueryExecutor.run(QueryExecutor.java:161)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
2015-03-19 04:07:46,391 [EXEC_RUNDEF_153_20150319035604/Query Without Aggregates] WARN com.rsa.soc.re.queryprocessor.mina.QueryHandler - Error executing rule with id: RULE_60_20150318231627 against dataSource: NWDB
CauseSome of the rules executed against RSA Security Analytics Core (NWDB) in the Concentrator data sources can fail if there are insufficient resources available for processing them.
For example, if the execution failed due to 
excess use of memory in Core, then it displays "std::bad_alloc" error message.
The top command can be run on the Concentrator to determine whether swap memory has been completely utilized. 

User-added image
WorkaroundOne of the following steps should help resolve the issue:
  • Remove the Order By from the rules.
  • Refine the rule or query to make it more selective.
  • Check the memory and reschedule the rule execution when there is less contention of resources.
  • Sometimes, the Concentrator service can terminate while executing complex queries with large data. Stop and restart the service.
If you are unsure of any of the steps above or experience any issues, contact RSA Technical Support and quote this article number for further assistance.