000035952 - Concentrator service fails to start when filename.size is changed from Int32 to Int64 in the index.concentrator-custom.xml file in RSA Security Analytics 10.6.5

Document created by RSA Customer Support Employee on Jan 27, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035952
Applies ToRSA Product Set: RSA NetWitness Logs & Packets, Security Analytics
RSA Product/Service Type: Concentrator
RSA Version/Condition: 10.6.5
Platform: CentOS 6
IssueAfter upgrading to RSA Security Analytics 10.6.5, the concentrator service will not start when filename.size is changed from Int32 to Int64 in the index.concentrator-custom.xml file.  The format must be set back to Int32 in order for the service to start. 

The filename.size parameter was recently added in the index-concentrator-custom.xml file with the size of Int32 as part of the RSA Security Analytics 10.6.5 release.
CauseThe issue occurs because the filename.size parameter has already been defined in the index-concentrator-custom.xml file with a different value than what was added as the default value (Int32).

Based on rules in the code, the customer can override some values of a key, but the data type is not one of them.  Since the parameter was already defined as Int64 then, at the point at which the index-concentrator.xml file was updated, the service failed to start.
WorkaroundThe index-concentrator.xml file defines the data type being added to the database, and the data type is not allowed to be overridden. This is due to the issues that would arise if a user already has data collected as one data type, but later decides to change the data to something different. The customer is able to change other values such as Index type (IndexValues vs IndexKeys), flags, or  max values.

In RSA Security Analytics 10.6.5, the format of filename.size in the index.concentrator-custom.xml file has to be set back to Int32 from Int64 in order for the service to start. 
Notes
  • The table-map.xml file on the Log Hybrid defines filename.size as Int64 and transient and sets the format of this meta to Int64 by default.
  • The table-map-custom.xml file on the Log Hybrid defines filename.size as Int64 and none.
  • The index-concentrator.xml file defines filename.size as Int32 and changes the format to Int32 with no error.
  • The filename.size parameter was added to the index-concentrator.xml file in RSA Security Analytics 10.6.5 with a default value of Int32.

Attachments

    Outcomes