RSA NetWitness RAID 0 Advisory

Document created by Kathryn Butler Employee on Sep 19, 2016Last modified by RSA Link Team on Sep 19, 2016
Version 3Show Document
  • View in full screen mode

Customers who installed and configured a new packet decoder Direct Attached Storage between April 2015 – August 2016 may have a meta-cache partition configured as RAID-0.   If it is configured as RAID-0, there will be no redundancy in the event of a hard drive failure resulting in a temporary disruption of packet capture.   Affected customers may either reconfigure the affected drives into a RAID-1 configuration proactively or reconfigure the drives if a failure occurs.


How do I know if I am affected?

KB article 000034030 provides information to identify if a DAC is affected:


What’s the impact?

The RAID 0 configuration applies to the meta-cache/index volumes of Packet Decoder DACs. In the event of a drive failure within this particular RAID group, the following impact occurs:


  1. Capture will be unavailable until failed drive is restored and RAID group configuration is corrected to RAID 1. 
  2. The meta-cache which didn’t aggregate to concentrator will be lost. The meta-cache volume is a temporary storage location containing meta data generated by the decoder before it aggregates to the concentrator. In normal operations where the concentrator and decoder are in sync, less than one second’s worth of meta would be affected.
  3. A re-index will need to occur when Decoder service becomes available. 


Packets stored on the Decoder and meta and index stored on the concentrator will not be affected.


What should I do if I find a DAC which has the RAID 0 configuration? 

For customer systems containing the RAID 0 configuration, there are two possible paths to resolution:


  1. Most customers will find that based on limited impact and availability of a hot spare to provide recovery in a short period of time; they will wait until a failure occurs to reconfigure their drives to RAID 1.
  2. A proactive approach to remediation could be taken by scheduling maintenance to convert the Decoder RAID 0 configuration to RAID 1.


KB article 000034030 provides the appropriate remediation instructions:


For further information, please contact Customer Support or visit the RSA NetWitness Platform page on RSA Link.




EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.



RSA Customer Support