This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

NwLogDecoder Failed to start capture

Go to solution
Anonymous
Not applicable

‎2015-01-16 10:39 AM

Our LogDecoder refuse to work today. When we  "Start Capture" an Initialization Error occurs.

 

 

Failed to start capture: Failed to process message start for /decoder com.rsa.netwitness.carlos.transport.TransportException: terminated

 

 

2015-01-16 16_36_29-[ADM] _LogDecoder_Collector - Log Decoder_ info.png

2015-01-16 16_37_04-[ADM] _LogDecoder_Collector - Log Decoder_ info.png

0 Likes
18 REPLIES 18

Go to solution
RSAAdmin
Beginner
Beginner

‎2015-03-20 11:24 PM

Hi guys, I had thasame problem and I fixed it the same way, running a data reset, but my folder /var/netwitness/logdecoder/metadb is increasing very fast, about 25GB a day.

 

I am collecting data from 80 Windows Server via winrm.

 

Is normal this folder to increase this way?


Regards.

0 Likes

Go to solution
Anonymous
Not applicable
In response to RSAAdmin

‎2015-03-24 04:47 AM


That seems to be normal at first glance. Depending on the load on the Windows machines.

 

What about the size of /var/netwitness/logdecoder/packetdb - nearly the same?

 

How many entries in table-map.xml and table-map-custom.xml with  flags="None".

 

Have you used the Windows Event Source "Channel selection feature" for filtering unnecessary events like System^(101|201), Security(4672), Application^(211|300) or do you system collect all the windows channels?

 

Think about rising of  /Database/Config -> meta.compression.level ...

 

 

regards

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2015-03-24 10:57 PM

Thanks for your reply Davme.


The size of /var/netwitness/logdecoder/packetdb

is not as big as /var/netwitness/logdecoder/metadb, I will check which is the size exactly.

 

I am not using "Channel selection feature". Is there a recommendation of Event IDs to exclude?

 

After run a data reset I still can see the logs in Investigation tab, so what kind of data is deleted using this command? Would be the raw log?

 

Regards.

0 Likes

Go to solution
Anonymous
Not applicable
In response to RSAAdmin

‎2015-03-25 04:17 AM

Can you really see the raw logs in investigation after a decoder data reset,or did you only see the indexed metadata at the concentrator/broker level? Security Analytics is a distributed system, you have to clear data in several places decoder/concentrator/broker.

 

There is no recommendation of Event IDs to exclude, it depends on your experience. Useful Links for it:

https://www.owasp.org/index.php/Logging_Cheat_Sheet

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx

http://sniperforensicstoolkit.squarespace.com/storage/logging/Windows%20Logging%20Cheat%20Sheet%20v1.1.pdf

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2015-03-25 09:21 PM

Yes, I see just indexed metada at Concentrator.

 

My question is, in LogDecoder we have huge logs because LogDecoder stores the raw logs, right?

 

Is possible to schedule a data reset to run once a week for example?

 

Regards.

0 Likes

Go to solution
JonathanSaxon
Employee
Employee
In response to RSAAdmin

‎2015-03-26 09:51 AM

Most of our requests are to store more data rather than purging existing data more quickly.   I am not sure why you are interested in manually purging the raw logs from the system. 


Your Log Decoder should be rolling out all data (session, meta, and packet) when the allocated filesystems reach 95% capacity.  If it is not, then something may not be configured properly in the appliance.

 

There are several things you can do to purge data earlier than the default retention period but I'd like to make sure I understand "what" and "why" before I start making recommendations.  But it is possible to script a "time-roll" or a "size-roll" or even data reset and execute that via a cron job. These are just kind of unusual requests.


A sample "size-roll" operation is shown in KB article 17193 found at https://rsaportal.force.com/customer/articles/Break_Fix/a64807-Log-Decoder-partitions-in-RSA-Security-Analytics-hybrid-o…

 

Not sure if it would help, but it is also possible to enable metadb compression on Log Decoders and Concentrators.  See KB 27795 at https://rsaportal.force.com/customer/articles/How_To/a65372-Q-A-on-Enabling-Meta-Compression-in-RSA-Security-Analytics-1…

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to JonathanSaxon

‎2015-03-26 08:59 PM

Thanks JSaxon.

So, I think that LogDecoder is not rolling out the logs automatically but I will check again.

 


If it works I wont need to use a data reset.


Regards.


0 Likes

Go to solution
JonathanSaxon
Employee
Employee
In response to RSAAdmin

‎2015-03-27 11:10 AM

If you run the latest technical support script (nwtech.sh) and submit the results for evaluation we can let you know if we find any configuration problems that might prevent data from automatically rolling out.

 

The latest script may be found at https://rsaportal.force.com/customer/articles/How_To/a59741-RSA-NetWitness-and-Security-Analytics-Tech-Support-Data-Gath…

 

Hope that helps.

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to JonathanSaxon

‎2015-03-27 04:29 PM

Thanks JSaxon.

 

I am going to wait a week and check if it the logs are being automatically rolling out, if not I will sent you this technical support script.

 

Regards.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.