000026695 - How to remove the invalidation flag from an RSA NetWitness Platform decoder

Document created by RSA Customer Support Employee on Jan 11, 2017Last modified by RSA Customer Support on Sep 23, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000026695
Applies ToRSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Decoder, Concentrator
RSA Version/Condition: 10.x, 11.x
IssueHow to remove the invalidation flag from an RSA NetWitness decoder.

In the event the Decoder suffers a crash or power outage it is likely there will be a large number of sessions it deems as invalid. It will then set a flag for the Concentrators to indicate which sessions are invalid so the Concentrator can invalidate them in its database. At times this process can take a long time which will cause the service to be unavailable for investigations.


In order to bypass this, the invalidation flag needs to be removed from the decoder for the affected Concentrators. Follow these steps for each Concentrator to remove the invalidation flag and bring the Concentrator back online.

  1. Logon to the Netwitness UI with administrator privilege.
  2. Navigate to the Services tab.
  3. Select the Concentrator service and enter the Explore view.
  4. Navigate to decoder->config->recovery.
  5. Right-click on the recovery folder and select "Properties".
  6. In the frame that opens in the bottom right click the pull-down menu and select "setrecov".
  7. In the parameters field enter 'device=<concentrator> key=sessions.invalid value=' where <concentrator> is the complete folder name including colon ":" and port number if present of the Concentrator entry in the frame above.
  8. Click "Send".
  9. Start the Concentrator service via the appliance tasks in Administrator.

The Concentrator should start normally and resume consuming from the decoder once it finishes initializing its indexes.

This may also occur in the event a Decoder was data reset without being removed from its Concentrator first.  If this is the case you may need to take the following additional steps:

  1. Click Stop Aggregation, under Netwitness UI > Concentrator > System.  Wait for the Aggregation to completely stop.  If aggregation did not stop, proceed with step #2.
  2. If after 5 minutes aggregation still has not stopped stop the Concentrator service from the Appliance Service using "Hosts Tasks".  Select "stop service" and enter "service=concentrator" where appropriate and click "Run".
  3. In the same window switch to "start service" and enter "service=concentrator" and click "Run"
  4. Connect back to the Concentrator's service
  5. If additional Decoders are attached the Concentrator it might take some time to Initialize.  You can view the logs under Concentrator > Logs view to know how long the Concentrator will take to initialize.
  6. If your Concentrator is set to start aggregation automatically, stop aggregation and wait for the status to show "stopped" to confirm that Aggregation has stopped. 
  7. Add the recently reset Decoder under Concentrator > Config > General > Aggregate Services. If the hosts is already there, remove it then attempt to add it back in.  You may see status "error" for the Decoder, this is OK.
  8. Start aggregation and the error should be cleared and the Concentrator should start aggregating from the Decoder once again

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.

Legacy Article IDa58595