000011645 - Unable to remove or re-add an RSA NetWitness concentrator to a broker

Document created by RSA Customer Support Employee on Jan 10, 2017Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000011645
Applies ToRSA NetWitness NextGen
RSA NetWitness NextGen 9.5 and above
RSA NetWitness Concentrator
RSA NetWitness Hybrid
RSA NetWitness Broker
RSA NetWitness Administrator
RSA NetWitness Investigator
IssueUnable to remove or re-add an RSA NetWitness concentrator to a broker.

Connected to your Broker in RSA NetWitness Investigator, you may notice that a particular Concentrator is not being consumed by the Broker.  You try to remove and re-add the Concentrator but you are presented with error messages similar to the following:

12345678 2011-Feb-01 09:57:58 my_concentrator.50005 failure There is a mismatch between lSessions (22) and lMetas (33), please delete and re-add this device to correct.

Resolution

In order to resolve the issue, follow the steps below.

 

1. Within RSA NetWitness Administrator connect to the Broker and then click on the "Stats" tab and find the offending Concentrator.  Note the hostname and/or IP.

2. Click the drop-down beside the Concentrator and click "Remove Device"

3. Click the "Stop Aggregation" button

4. Connect to the Broker via ssh and navigate to the following directory: /var/netwitness/broker/index and list the directory with "ll" <- double lower-case "L"

5. Files in this directory will begin with either the IP or hostname of connected Concentrators.  Look for any files that begin with either the hostname or IP address of the Concentrator you removed in step 1.

6. If you find any files that begin with the IP or hostname of the already-removed Concentrator, stop the broker service by issuing the following command:

stop nwbroker (Fedora Appliances*)
monit stop nwbroker (CentOS 5.5 / EL5* Appliances)

7. Delete any of these files with the "rm" command.

8. Start the Broker service by issuing the following command:

start nwbroker (Fedora Appliances*)
monit start nwbroker (CentOS 5.5 / EL5* Appliances)

9. Connect back to the Broker with RSA NetWitness Administrator.  On the "Stats" page you should now be able to add the previously-offending Concentrator back in.  If you don't have aggregation set to start automatically on service start, you may start it now by clicking the "Start Aggregation" button

* To determine Linux version issue the following command: cat /etc/redhat-release

Legacy Article IDa58737

Attachments

    Outcomes