000017193 - Log Decoder partitions in RSA Security Analytics hybrid or AIO appliance are not configured correctly

Document created by RSA Customer Support Employee on Jun 17, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000017193
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: RSA Security Analytics Log Decoder
RSA Security Analytics Hybrid
RSA Security Analytics All-in-One
RSA Security Analytics Series 4S Appliance
 
IssueLog Decoder partitions in RSA Security Analytics Hybrid or All-In-One appliance are not configured correctly.  This applies only to Log All-In-One and Log Hybrid Appliances. 
For the log decoder service, the sessiondb volume is much greater in size then the metadb volume (the opposite is normally true). In the example below, metadb is 10GB and sessiondb is 300GB.  

The df -h command will display information similar to the excerpt below:


Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/VolGroup01-ldecmeta
                            10G  8.8G  1.3G  88% /var/netwitness/logdecoder/metadb
/dev/mapper/VolGroup01-ldecpack
                           2.8T  1.3T  1.6T  44% /var/netwitness/logdecoder/packetdb
/dev/mapper/VolGroup01-ldecsess
                          300G  285G   16G  95% /var/netwitness/logdecoder/sessiondb


This is most often noticed when Investigations of historical data do not return any results as the meta data has rolled out of the database because it is smaller than expected. 
Resolution

To confirm the issue and to obtain the needed recovery script, contact RSA Support and quote this article number.


To resolve this issue, a script is available that will backup the existing data in metadb and sessiondb, resize the partitions and restore the data back to its original location.
Note: Should the data present in sessiondb currently exceed 25GB (as seen in 'Used' column of df -h output), then the amount of data in this partition needs to be reduced using steps 1 and 2 below prior to running the script.


  1. Manually roll out data in the sessiondb partition until it contains a maximum of 25 GB.
  • Log into the Security Analytics WebUI.
  • Click on Administration -> Devices.
  • Select the log decoder device and click on View -> Explore.
  • In the tree view, right-click on database and select Properties.
  • In the bottom-right pane that opens, click on the dropdown menu and select sizeRoll.
  • In the parameters box, enter the following:  type=session maxSize=25000MB  
(See Figure 1 below.)

  • Click the Send button.  In the ResponseOutput box, you will see the files that have been manually rolled out.
Note: Sometimes the above command fails with error:
Failed to process message sizeRoll for /database com.rsa.netwitness.carlos.transport.TanportException:
Size roll operation aborted because the requested maximum hot tier size of "value" is less than half of the
current warm tier usage of "value".

 

Please check Knowledgebase article:000033925


  1. Verify that the sessiondb partition on the appliance has 25 GB a maximum of data being utilized by issuing the df -h command via SSH on the Hybrid or AIO appliance.
  2. Execute the chkldecvol.sh script on the hybrid or AIO appliance.
  • Copy the script onto the log hybrid or AIO appliance.
  • Make the script executable by issuing the chmod +x chkldecvol.sh command from within the directory where the file resides.
  • Execute the script (as root) by issuing the ./chkldecvol.sh command.
  • Follow any on-screen instructions from within the script and await its completion.
  1. Perform a reconfig operation to reflect the changes made by the script.
  • From within Security Analytics, click on Administration -> Devices.
  • Select the log decoder device and click on View -> Explore.
  • In the tree view, right-click on database and select Properties.
  • In the bottom-right pane that opens, click on the dropdown menu and select reconfig.  Then click the Send button.
  • In the ResponseOutput box, the recommended partition sizes and settings will be displayed.
  • To apply the recommended changes in the preceding step, enter update=1 into the parameters box and click the Send button.  (See Figure 2)
  • To complete the process, restart the Log Decoder service (nwlogdecoder) either from the Security Analytics UI or via the command-line interface.

Performing the steps above will resolve the misconfiguration issue and will allow the Log Hybrid or AIO appliance to function at its full capacity.  If you are unsure of any of the steps above, contact RSA Support and quote this article for additional assistance.

Notes

Figure 1:  Performing the manual roll out on the sessiondb partition.



 


Figure 2:  Performing the reconfig operation.


Legacy Article IDa64807

Attachments

Outcomes