000034456 - RSA NetWitness Packet/Log Hybrid  or Concentrator is not being consumed by the Broker

Document created by RSA Customer Support Employee on Dec 1, 2016Last modified by RSA Customer Support on Jan 18, 2018
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000034456
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Security Analytics Server
RSA Version/Condition: and later releases 
Platform: CentOS
IssueThe Broker has stopped aggregating from attached Concentrator services in the Broker View > config screen. The Broker service is falling behind on packets. Attempts to toggle the service off and on to restart aggregation fail. 
CauseThe connection between the Broker and down-stream Concentrators or Brokers needs to be re-established so that the Broker can resume aggregation. 
  1.  Login to SA UI > Services
  2. Select the Broker > View config >  General > Aggregate services > Remove the Concentrator or Broker services
  3. Open an SSH session to the Broker appliance.
  4. Restart the nwbroker service.
  5. Use status nwbroker to ensure that the broker service is running.

stop nwbroker
start nwbroker
status nwbroker

  1. Login to SA UI > Services > select the Broker > view config >  General > Aggregate services > Add the Concentrator or Broker services.