This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Hybrid - Aggregation Behind Consistently

EvanRamos1
Beginner
Beginner

‎2016-11-10 02:22 PM

Howdy,

 

SA/NW Version: 10.6.1.0

Hybrid Con/Dec/Collector.

 

We are having an odd issue that just started happening last week (after we updated some parsers from Live). During the day(s) our aggregation from our log decoder on our concentrator gets ridiculously behind. Never catches up. We've observed this is only happening during the day. Around 6PM , the problem goes away. Never reaching >1M sessions behind. This is a new issue, nothing has changed from what I can tell in our collections.

 

The health and wellness alerts say "check for noisy parser" but searching through /var/log/messages i see no errors. Somewhere else to check? Has anyone ran into an issue like this? 

 

To rule out data -

- Turned off syslog listener (514udp/tcp) on log collector . Left it off for 5 mins - no affect, behind still grows.

- Turned off Windows Collections. Left off for 5 mins - no affect, behind still grows.

- Turned off VMware Collections. Left off for 5 mins - no affect, behind still grows.

- Restarted nwlogdecoder service

 

We tried tuning sdk/config settings per: 000034117 - Performance of Concentrator Service on Hybrid Appliance is slow in RSA Security Analytics ; hasn't helped. 

 

We have a support case open with RSA and they have been helpful. However I thought to post the issue here in case someone has ran into this before. Or has any ideas. 

 

aggissue.JPG

0 Likes
4 REPLIES 4

ArthurCostigan1
Frequent Contributor Frequent Contributor
Frequent Contributor

‎2016-11-10 02:57 PM

Hi Evan.   Can you tell us what version of Netwitness Logs you are running.  Are you using any custom Meta Keys? 

0 Likes

EvanRamos1
Beginner
Beginner
In response to ArthurCostigan1

‎2016-11-10 04:52 PM

Howdy, using 10.6.1.0 for Logs, no custom meta only defaults. 

0 Likes

DavidWaugh1
Employee
Employee

‎2016-11-11 03:56 AM

What is the EPS through the Log Decoder? (Logdecoder -> Stats)

The concentrator aggregation rate seems low. If you restart the concentrator service (stop nwconcentrator then start nwconcentrator) does the throughput increase.

 

If you run 

 

iostat -m -N -x 5 are you seeing high disk utilisation on any partition (especially the concentrator index partition)

 

 

When did the issue first start. eg has it always been slow or has something changed?

0 Likes

EvanRamos1
Beginner
Beginner
In response to DavidWaugh1

‎2016-11-13 02:49 PM

I tried restarting the nwconcentrator service and uhhh it got really mad about that. Throwing lock errors all over the place. So i ended up rebooting the Hybrid box altogether and the problem magically went away. Crappy solution but i do have a case open with a tech dump taken so hopefully root cause can be found. I'm concerned the problem might surface again but for now i'm just monitoring it. 

 

Thanks for the tips/help!

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.