Web Threat Detection 126.96.36.199 Indexer core dumps with a segfault after upgrade
RSA Product Set: Web Threat Detection RSA Product/Service Type: Web Threat Detection RSA Version/Condition: 188.8.131.52 Platform: WTD 184.108.40.206 Platform (Other): na O/S Version: Centos/RHEL 6.x Product Name: Web Threat Detection Product Description: Web Threat Detection
Environments upgraded to 220.127.116.11 may experience a segfault when the Indexer process is attempting to run. When this happens Indexer will, if the OS if configured, will leave a core file in /var/log/silvertail.
Syslog will have messages similar to the ones below:
Jun 2 07:00:25 <hostname> kernel: [6603643.182719] Callback: segfault at 0 ip (null) sp 00007fc46592cfe8 error 14 Jun 2 07:00:25 <hostname> kernel: [6603643.182723] Callback: segfault at 0 ip (null) sp 00007fc462727fe8 error 14 in indexer[400000+4aa000] in indexer[400000+4aa000]
There will be an hour that will not show any clicks in the Forensics UI.
If the OS is configured correctly there will be Indexer core files in /var/log/silvertail.
This is caused by enhancements made to WTD in 18.104.22.168.
To fix this issue Customers will need to upgrade to a fixed in version of WTD.
22.214.171.124 and higher versions will have the fix for this issue.
The latest version of 5.1 software will be available through SecurCare Online on Download Central.
Login via SSH to a system in the environment with access to the /var/opt/silvertail/data directory.
Move the .task file, for the hour missing traffic in the FUI, from /var/opt/silvertail/data/tasks/indexer/failed to the start point of the task chain, this is normally /var/opt/silvertail/data/tasks/organizer/completed. This can be looked up in SilverCat under Indexer>tasks>pending.
This will result in the tasks running again for that hour, only one task will be processed at a time, if multiple .task files are in the /failed directory they will be ran in order.
If a task fails again, and the task file is deposited back in /var/opt/silvertail/data/tasks/indexer/failed, it may not be because of the Indexer Segfault issue. Open a case with support to verify that there is not another reason why Indexer is failing.