2016-01-23 03:12 PM
Hi Guy
I am doing a new deployment of Security Analytics which has 4 appliances, a decoder, concentrator, hybrid and SA server with broker. I upgraded the appliances from 10.5 to 10.5.1 then finally to 10.5.1.2. Collection on the decoders stops after about 5 - 10 minutes of service restart. So if I restart the service every 20 minutes I will have data every time. At times collection can start on its own hours later and stop again. I have checked everything. In case you are wondering yes, all services are set to auto start.
2016-01-25 11:10 AM
Thank you for responding. This was caused by parsers. After disabling all parsers and only enabling a few, the appliances have been collecting for packets for over 48 hours. Now the question is how do I find out which parsers are problematic without having to enable one by one till i find it?
2016-01-24 01:14 AM
Hi Nathan,
At the moment what max you can do is to login on RSA kb and check the issues related to 10.5.x and the solution of the same in the available articles.
Good luck!!
2016-01-25 04:08 AM
Normally more information should be available in /var/log/messages.
I would open a support case at support@rsa.com to investigate further, as there could be many reasons for this behaviour.
2016-01-25 10:57 AM
Hi,
This could be related to a space issue, can you check to verify that you have no core files?
cd /
# find . -name core.* -print
Remove any core files that have a pid attached. core.2345 as an example and try to start again.
David
2016-01-25 11:10 AM
Thank you for responding. This was caused by parsers. After disabling all parsers and only enabling a few, the appliances have been collecting for packets for over 48 hours. Now the question is how do I find out which parsers are problematic without having to enable one by one till i find it?
2016-01-25 11:13 AM
Hi Ronald,
I guess the real question would be the old on, what changed? What new parser was added, In most cases it may have been a custom. Did that happen?
David
2016-01-25 11:17 AM
Ronald,
When it stops, do you see any corresponding messages in the /var/log/messages, on that packet device? We can also look at the /var/lib/netwitness/uax/logs/sa.log on the sa server to verify that we have no parser errors.
David
2016-01-25 11:22 AM
David
This was a totally new installation. The 1st thing I did before even colecting data was to download Lua_Parsers. So i dont know if it would have worked fine without the Lua parsers
2016-01-27 05:18 PM
Hi Ronald,
So the actual cause was the Lua parser ?
David
2016-01-27 09:31 PM
David
No, its not a LUA parser. The problem is with one of the pre-installed parsers, the network parsers. Now am trying to figure out how to get it to work.