|Applies To||RSA Product Set: NetWitness Logs & Network|
RSA Product/Service Type: NetWitness Logs & Network UI
RSA Version/Condition: 10.6.x
O/S Version: 6
Product Name: SA-HYBRID-L
Product Description: SecAnlytcs Hybrd Dplymnt Logs
|Issue||The NetWitness Log Decoder service will not remain started, it keeps looping to start and then crashes and creates core dump files.|
This results in filling up to 100% of the filesystem /var/netwitness/logdecoder. Even if you try removing the core files and restarting, the log decoder service will not start up, it just keeps core dumping.
Note the error below repeating in /var/log/messages file while the Log Decoder service tries to start up, until core dump files fill up the filesystem:
|Cause||In this example, the Log Decoder crashes were due to a statdb file corruption. It keeps looping over and over whilst trying to start the nwlogdecoder service.|
|Resolution||Ensure the latest NetWitness patch release has been installed.|
If NetWitness is running with the latest version, then collect a sample core file from when the issue started to occur, and contact RSA Support to open a case with RSA Engineering to investigate the cause, then proceed to the workaround.
|Workaround||As a workaround, delete the core files.|
If the core file creation is due to a corrupt statdb file, then move or rename the statdb file mentioned in the error message, and then restart the nwlogdecoder service.
Backup at least one recent core file in case further an investigation of the issue is needed with RSA Engineering.