|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: SA Core Appliance
RSA Version/Condition: 10.6.X
|Issue||When Archiver/Concentrator was offline for certain time, the aggregation fails to start as expected session already rolled over from decoder/logdecoder.|
The errors indicate session gap as below.
Jan 5 13:33:40 XXXX NwConcentrator: [Aggregation] [warning] Device: 'A.B.C.D:56004' requested session 1102239707
|Cause||The Archiver or the Concentrator was expecting a sessionid that was not available for the Decoder or the Logdecoder as the session has already rolled out. Hence, it produced errors with "skipped sessions cannot be consumed", indicating the expected session is not longer available.|
|Resolution||Please follow below steps to start aggregation.|
1. Login to putty of Decoder/Logdecoder.
2. Restart the service using below commands sequentially.
Note: Please change the keyword from nwdecoder to nwlogdecoder if you are aggregating from the Log Decoder
4. Start aggregation in Archiver/Concentrator->Config page. This should start aggregation now.