| Article Number | 000034058 |
| Applies To | RSA Product Set: Security Analytics, NetWitness Logs and Packets
RSA Product/Service Type: Decoder
Platform: CentOS |
| Issue | After clicking on the Start Capture from Decoder -> View -> System, the popup of "Capture will be started" appears, and after few seconds it reverts back from "Stop Capture" to "Start Capture" and the capture never starts.
An error message similar to the example below appears in the /var/log/messages file on the Decoder.
Aug 8 05:43:53 decoder [1022]: [Decoder] [warning] Meta database free space threshold exceeded (/var/netwitness/logdecoder/metadb, 87.95 MB free), capture is stopping. Please check drive and configuration. |
| Cause | One or more of the databases' partitions on the appliance are full.
|
| Resolution | To resolve the issue, follow the steps below.
- Connect to the appliance via SSH as the root user.
- Run "df -kh" and check the output for metadb, sessiondb, packetdb partitions usage.
If you found one of them exceeded 95% as shown in the example below, then perform the following steps.
[root@LogDecoder /]# df -kh
/dev/mapper/VolGroup00-ldecmeta
300G 300G 14M 100% /var/netwitness/logdecoder/metadb
- Navigate to the appropriate directory.
[root@LogDecoder /]# cd /var/netwitness/logdecoder/metadb
- Check for old core files.
[root@LogDecoder metadb]# ls -rtlh | grep -i core
-rw-------. 1 root root 4.3G May 24 05:43 core.3114
-rw-------. 1 root root 5.2M May 24 05:43 core.33784
-rw-------. 1 root root 14G Sep 14 03:45 core.48582
- Delete the old core files to free up some space.
[root@LogDecoder metadb]# rm -rf core.3114 core.33784 core.48582
- Try to "start capture" again from the user interface.
- If a new core file is created, move the core file to a different location and contact RSA Customer Support in order to temporarily stop core file creation and so so that the core file can be analyzed to identify the root cause of the issue.
|
on Sep 26, 2016