frequently, we are facing services showing offline in investigation tab.
please find the screenshot for reference
please let me know, how to resolve permanently
Correct me if i am not correct. I hope you are investigating against broker which has multiple concentrators as data sources. While investigating, one concentrator may be offline.
When the concentrator service is offline, Please check below in Concentrator putty.
- status nwconcentrator
- Check /var/log/messages if it is reindexing with similar logs in 000030044 - How to Index Reset an RSA Security Analytics Appliance in Explore View
yes, we have multiple concentrators under broker.
and this issue is occurring when we troubleshooting the meta values in index custom.xml file
Thanks for more details. So, After editing index-concentrator-custom.xml, you may need to restart concentrator service. During that time, Concentrator service may go offline till service initialized.
thanks for your response
yes, i done the same. after restarting the concentrator, it showing indexing
Thanks for confirmation. While Concentrator index initializing, the investigation page may show "Offline Services: <Concentrator_IP>:56005" which will become normal after initialization finishes.
Same functionality documented in below KB's.
000031912 - Aggregation failed to start on Concentrator with the error "Message start was not recognized by /concentrator" in RSA Security Analytics
000031490 - Security Analytics Concentrator fails to start aggregation with error: "TransportException: Message start was not recognized by /concentrator"
Retrieving data ...