000034479 - How to Troubleshoot-Hourly Processing is Not Working Properly in RSA Web Threat Detection 5.1

Document created by RSA Customer Support Employee on Apr 3, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000034479
Applies ToRSA Product Set: Web Threat Detection
RSA Product/Service Type: Forensics
RSA Version/Condition: 5.1
Platform: Linux
IssueForensics  UI is not displaying hourly 'blue bars' .  
ResolutionTo determine the cause of issues with WTD when blue bars are not showing that the hourly processing is working (and general practice for many issues in WTD)
1.  Determine if there were any changes in WTD configuration, or networking or OS environment. 
2.  Go to the VARZ grapher and look at the message flow across the components from
Silvertap to Front Plex  to SilverSurfer to Back Plex to  Mitigator to Alert plex  to Alert Server and Organizer 

  1. Each of these are separate components/processes that take their messages off the Back Plex. 
  2. Issues with Silvertap may need Customer Networking team to verify that the connection from network hardware to the Silvertap is working properly. 
  3. Identify places where the message flow has stopped or the message queue has increased.  
  4. Note CPU and Memory usage with these identified components that are showing problems. 
A. Go to /var/log/messages  and look for error  and var/log/silvertail/ for component log
B. Look at top -H in the console for WTD processes that are consuming large memory and cpu cycles.
C. Consider a restart if there are no errors seen above. 

      5. Observe results of a restart of services, or if issues are persisting contact Customer Support for further assistance.
      6. Go to var/opt/silvertail/data/tasks and /indexer folders and make sure the completed folders of each are empty.

Note:  If still having an issue consider contacting Customer Support for further assistance. 
NotesIt is difficult to provide a complete troubleshooting flow, but the steps included in this article can be used by Customer Support Engineers and our Customers to initiate steps towards a cause and resolution.