000026695 - How to remove the invalidation flag from an RSA NetWitness decoder

Document created by RSA Customer Support Employee on Jan 11, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026695
Applies ToRSA NetWitness NextGen
RSA NetWitness Decoder
RSA NetWitness Log Decoder
RSA NetWitness Concentrator
RSA NetWitness Hybrid
RSA NetWitness Broker
IssueHow to remove the invalidation flag from an RSA NetWitness decoder.
Resolution

In the event the Decoder suffers a crash or power outage it is likely there will be a large number of sessions it deems as invalid. It will then set a flag for the Concentrators to indicate which sessions are invalid so the Concentrator can invalidate them in its database. At times this process can take a long time which will cause the service to be unavailable for investigations.

 

In order to bypass this the invalidation flag needs to be removed from the decoder for the affected Concentrators. Follow these steps for each Concentrator to remove the invalidation flag and bring the Concentrator back online.


  1. Stop the Concentrator service via the appliance tasks in Administrator.
  2. Connect to the Decoder via Administrator and open an explorer tab by entering Ctrl-E with the Decoder selected.
  3. Navigate to decoder->config->recovery.
  4. Right click on the recovery folder and select "Properties".
  5. In the frame that opens in the bottom right click the pull down menu and select "setrecov".
  6. In the parameters field enter 'device=<concentrator> key=sessions.invalid value=' where <concentrator> is the complete folder name including colon ":" and port number if present of the Concentrator entry in the frame above.
  7. Click "Send".
  8. Start the Concentrator service via the appliance tasks in Administrator.

The Concentrator should start normally and resume consuming from the decoder once it finishes initializing its indexes.

 

 

This may also occur in the event a Decoder was data reset without being removed from it's Concentrator first.  If this is the case you may need to take the following additional steps:

  1. On the Concentrator attempt to stop aggregation.  Look in the log window for "Aggregation threads have completed" to confirm Aggregation has stopped.  In this case it might not.
  2. If after 5 minutes aggregation still has not stopped stop the Concentrator service from the Appliance Service using "Appliance Tasks".  Select "stop service" and enter "service=concentrator" where appropriate and click "Run".
  3. In the same window switch to "start service" and enter "service=concentrator" and click "Run"
  4. Connect back to the Concentrator's service
  5. If additional Decoders are attached the Concentrator make take some time to Initialize.  You can watch the logs in the logs window for how long the Concentrator will take to initialize.
  6. If your Concentrator is set to start aggregation automatically, stop aggregation and look in the log window for "Aggregation threads have completed" to confirm Aggregation has stopped. 
  7. Attempt to add the recently reset Decoder back in, if it's already there, remove it then attempt to add it back in.  You may see status "error" for the Decoder, this is OK.
  8. Start aggregation and the error should clear and the Concentrator should start aggregating from the Decoder once again


If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.

Legacy Article IDa58595

Attachments

    Outcomes