NetWitness Community

Anonymous · ‎2013-12-18

today, i just got an issue with concentrator that its not showing any data in investigation for today. i checked the capture rate on packet decoder and got capture rate is 0 but max capture rate is increasing or total packet is also increasing means packet is coming on decoder then i restart the concentrator service but got issue is same so i reboot the device but got issue is still same. then i checked the concentrator congiguration where we add decoder for data aggregation and i got that its status is failed, i just removed the decoder add again first i got online and then status goes failed.

Anonymous · ‎2013-12-22

There is a setting for the concentrator / broker under Config -> Explore then going to the SDK -> Config, you can change the "aggregation window" which is usually defaulted to 20 minutes. Depending on the amount of traffic going through your system you can lower that value and keep testing it to ensure your concentrator doesn't get behind -- you can set it to 10 minutes to start off and see if that backs up your concentrator/broker. If it doesn't, then that buys you a 10 min refresh window in Investigator instead of taking 20 minutes.

View solution in original post

huanzhou1 · ‎2013-12-18

Tried to restart decoder service? can send the logs for both concentrator or decoder? Checked the disk usage?

Anonymous · ‎2013-12-18

i have reboot the decoder and also checked that nwdecoder, nwcollector is running.

and concentrator disk space is:-

[root@NWAPPLIANCE11887 ~]# df -h

Filesystem Size Used Avail Use% Mounted on

/dev/mapper/VolGroup00-root

6.7G 935M 5.4G 15% /

tmpfs 48G 0 48G 0% /dev/shm

/dev/sde1 256M 32M 211M 14% /boot

/dev/mapper/VolGroup00-usrhome

2.0G 67M 1.9G 4% /home

/dev/mapper/VolGroup00-tmp

8.2G 147M 7.6G 2% /tmp

/dev/mapper/VolGroup00-var

6.2G 169M 5.7G 3% /var

/dev/mapper/VolGroup01-varlog

20G 271M 19G 2% /var/log

/dev/mapper/VolGroup01-nwhome

30G 172M 30G 1% /var/netwitness

/dev/mapper/VolGroup00-vartmp

6.3G 143M 5.8G 3% /var/tmp

/dev/mapper/concentrator-root

30G 293M 30G 1% /var/netwitness/concentrator

/dev/mapper/concentrator-decoroot

20G 33M 20G 1% /var/netwitness/decoder

/dev/mapper/index-index

1.1T 248M 1.1T 1% /var/netwitness/concentrator/index

/dev/mapper/concentrator-sessiondb

600G 576M 600G 1% /var/netwitness/concentrator/sessiondb

/dev/mapper/concentrator-metadb

11T 5.8G 11T 1% /var/netwitness/concentrator/metadb

[root@NWAPPLIANCE11887 ~]#

huanzhou1 · ‎2013-12-18

"2013-12-18T12:57:30","INFO","Aggregation","","Device '10.10.30.184:50004' is attempting to restart aggregation from failed state."

"2013-12-18T12:57:30","INFO","Aggregation","","Device '10.10.30.184:50004' is being initialized"

"2013-12-18T12:57:30","INFO","Aggregation","","Query for last session for device '10.10.30.184:50004' with 'did=""pktdec""' returned no results"

"2013-12-18T12:57:30","INFO","Aggregation","","Local database found no sessions for device '10.10.30.184:50004'"

"2013-12-18T12:57:30","INFO","Aggregation","","Device '10.10.30.184:50004' is querying for exact session time"

"2013-12-18T12:57:30","ERROR","Aggregation","","Failed to initialize device '10.10.30.184:50004' because No such object 1, valid range is 1 to 0. Device aggregation is being stopped."

time same? can remove the device and add again from the concentrator config?

Anonymous · ‎2013-12-18

okay i got, i just restart decoder service and then remove from concentrator and add again. now concentrator status is consuming but in investigation no result, please have a look on attached document

huanzhou1 · ‎2013-12-18

can check the concentrator status? or drill down?

RSAAdmin · ‎2013-12-19

Are you querying a Broker? Make sure the Broker is consuming from the concentrator. Add Decoder Source meta in investigation to quickly see if events are coming in.

Anonymous · ‎2013-12-19

oaky its working now, but taking too much time to show result in investigation.

huanzhou1 · ‎2013-12-19

that's great. it take a while to build the index for query.

Anonymous · ‎2013-12-22

There is a setting for the concentrator / broker under Config -> Explore then going to the SDK -> Config, you can change the "aggregation window" which is usually defaulted to 20 minutes. Depending on the amount of traffic going through your system you can lower that value and keep testing it to ensure your concentrator doesn't get behind -- you can set it to 10 minutes to start off and see if that backs up your concentrator/broker. If it doesn't, then that buys you a 10 min refresh window in Investigator instead of taking 20 minutes.

NetWitness Community

concentrator failed to aggregate data from pecket decoder