000034058 - Error message "Meta database free space threshold exceeded" prevents capturing from starting on an RSA Security Analytics decoder

Document created by RSA Customer Support Employee on Sep 26, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000034058
Applies ToRSA Product Set: Security Analytics, NetWitness Logs and Packets
RSA Product/Service Type: Decoder
Platform: CentOS
IssueAfter clicking on the Start Capture from Decoder -> View -> System, the popup of "Capture will be started" appears, and after few seconds it reverts back from "Stop Capture" to "Start Capture" and the capture never starts.
An error message similar to the example below appears in the /var/log/messages file on the Decoder.
Aug 8 05:43:53 decoder [1022]: [Decoder] [warning] Meta database free space threshold exceeded (/var/netwitness/logdecoder/metadb, 87.95 MB free), capture is stopping. Please check drive and configuration.
CauseOne or more of the databases' partitions on the appliance are full.
ResolutionTo resolve the issue, follow the steps below.
  1. Connect to the appliance via SSH as the root user.
  2. Run "df -kh" and check the output for metadb, sessiondb, packetdb partitions usage.
If you found one of them exceeded 95% as shown in the example below, then perform the following steps.
[root@LogDecoder /]# df -kh
                      300G  300G   14M 100% /var/netwitness/logdecoder/metadb

  1. Navigate to the appropriate directory.
    [root@LogDecoder /]# cd /var/netwitness/logdecoder/metadb

  2. Check for old core files.
    [root@LogDecoder metadb]# ls -rtlh | grep -i core
    -rw-------. 1 root root 4.3G May 24 05:43 core.3114
    -rw-------. 1 root root 5.2M May 24 05:43 core.33784
    -rw-------. 1 root root  14G Sep 14 03:45 core.48582

  3. Delete the old core files to free up some space.
    [root@LogDecoder metadb]# rm -rf core.3114 core.33784 core.48582

  4. Try to "start capture" again from the user interface.
  5.  If a new core file is created, move the core file to a different location and contact RSA Customer Support in order to temporarily stop core file creation and so so that the core file can be analyzed to identify the root cause of the issue.