|Applies To||RSA Product Set: RSA NetWitness Logs & Packets, Security Analytics|
RSA Product/Service Type: Concentrator
RSA Version/Condition: 10.6.5
Platform: CentOS 6
|Issue||After upgrading to RSA Security Analytics 10.6.5, the concentrator service will not start when filename.size is changed from Int32 to Int64 in the index.concentrator-custom.xml file. The format must be set back to Int32 in order for the service to start. |
The filename.size parameter was recently added in the index-concentrator-custom.xml file with the size of Int32 as part of the RSA Security Analytics 10.6.5 release.
|Cause||The issue occurs because the filename.size parameter has already been defined in the index-concentrator-custom.xml file with a different value than what was added as the default value (Int32).|
Based on rules in the code, the customer can override some values of a key, but the data type is not one of them. Since the parameter was already defined as Int64 then, at the point at which the index-concentrator.xml file was updated, the service failed to start.
|Workaround||The index-concentrator.xml file defines the data type being added to the database, and the data type is not allowed to be overridden. This is due to the issues that would arise if a user already has data collected as one data type, but later decides to change the data to something different. The customer is able to change other values such as Index type (IndexValues vs IndexKeys), flags, or max values.|
In RSA Security Analytics 10.6.5, the format of filename.size in the index.concentrator-custom.xml file has to be set back to Int32 from Int64 in order for the service to start.