NetWitness Community

PedroQueiros · ‎2018-04-24

Hello,

I've recently had a problem of free space in my Concentrator, and as such, I've lost old meta (meta.oldest.file.time is only two weeks ago).

Since this data still exists in the LogDecoder, and I've reconfigured the available space in the Concentrator, is it possible somehow to force the Concentrator to reprocess that data, so I can go back one month, instead of only two weeks?

Thank you for your help!

Kind Regards,

Pedro Queirós

JohnKisner · ‎2018-04-24

Pedro,

You can reconsume all the available meta and session data on the log decoder by doing a data reset on the concentrator. This will cause the concentrator to reconsume everything that it can from the connected log decoder. It is important that you look at the log decoder's meta and session data to make sure they both are about the same amount of time back. This way when the concentrator reconsumes from the log decoder you have a good picture of how much log decoder data will be available on the concentrator.

A side effect of reconsuming like this is that you may receive old alerts firing from the reporting engine or the Event Stream Analysis appliance. Since the concentrator would be consuming from scratch, these devices won't realize they have alerted on the data coming back into the concentrator. These old alerts will continue to fire until the concentrator is fully caught up. Also trying to perform any Investigations against this concentrator before it is fully caught up can cause inconsistent results.

I hope this helps.

PedroQueiros · ‎2018-04-24

Hello John,

Thank you for your reply. And how can I do a "data reset" on the concentrator?

Kind Regards,

Pedro Queirós

JohnKisner · ‎2018-04-24

Pedro,

Within the Netwitness UI, go to the Services page.

1. Click the Actions -> View -> Explore for the concentrator you want to data reset.

2. Once in the Explore view right click on the concentrator node and click Properties.

3. In the Properties area click the drop down and select reset.

4. Then put data=1 in the Parameters area and click Send. Once you click Send in the Response Output section it will tell you that you have to add the something to the Parameter area to verify that you want to do the data reset.

5. In the output there were will a verify=######. You will need to add this verify=###### to the end of the Parameter field. So it should look something like this: data=1 verify=213298.

6. Click Send again and the concentrator will restart and delete all the data files from all index, sessiondb, and metadb locations.

Once the restart of the service is complete it will begin reconsuming everything that it can from the connected log decoder.

IMPORTANT: This is a one way operation. If you tell the concentrator to do a data reset, you cannot undo the reset. So make sure you want to delete all the data from the concentrator.

I hope this helps.

RenatoGoncalves · ‎2018-10-09

Hello John,

How can i do that in 11.2? After right clicking in the concentrator the drop down in properties has no data.....

JohnKisner · ‎2018-10-22

Renato,

Sorry for the long delay. The process is the same in 11.2. I you are seeing nothing in the drop down it sounds like you may not have full permissions to the service. Make sure you are using the default admin account if possible. If you cannot use the admin account itself you will need to make sure that the account you are using has full permissions on the concentrator service. This is generally setup using the Roles under the service's Security area.

NetWitness Community

Is it possible to force the Concentrator to process the LogDecoder data?