Article Number
000001388
Applies To
RSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.3.2.0
Platform: CentOS
O/S Version: 7
Issue
Cause
Sometimes the Broker can complain about the ranges out of sync with the Index/MapDB.
When the ranges are out of sync, you may face this problem on the investigation/events page.
When ranges are out of sync, you are not able to query properly in the broker.
Workaround
You can try the following procedures to fix this issue.
- Go to the Explore page of "Broker".
- Right Click "Broker" node and select "Repair" from the dropdown.
- Click Send. This would take a few seconds to a few minutes.
- Check if the issue persists on the Broker.
This step would not cause any data loss. This would eventually correct the mapping in the broker. Restarting Service is not required.
But if the procedures above do not work, you need to perform the following procedures.
- SSH to the Broker Appliance.
- Turn off the Broker Service (service nwbroker stop). Before proceeding further, check the status of the service (service nwbroker status). The status should not be deactivating / running / active.
- Go to the Folder: "/var/netwitness/broker/index"
- Map DB files would be present.
- Backup the Files in this folder to any backup location.
- Make Directory "mkdir /root/broker-mapdb/"
- Go to the folder "/var/netwitness/broker/index"
- Move all the files "mv * /root/broker-mapdb/ -vv"
- Check if all the files are moved to the backup location.
- Start the Broker Service.
- Post starting the service, remove, and re-add the devices in the Broker Configurations.
*Note: Back up process is very important. If there is any issue in regeneration, only recovery process is to restore the backed up files.
Once done, you are now able to query via "Go to event in Event Reconstruction" with problematic sessionid which means it syncs with the Index/MapDB in the broker.