Article Number
000032185
Applies To
RSA Product Set: Security Analytics
RSA Product/Service Type: Concentrator, Hybrid Concentrator, Broker, Security Analytics UI
RSA Version/Condition: 10.4.x, 10.5.x
Platform: CentOS
O/S Version: EL6
RSA Product/Service Type: Concentrator, Hybrid Concentrator, Broker, Security Analytics UI
RSA Version/Condition: 10.4.x, 10.5.x
Platform: CentOS
O/S Version: EL6
Issue
When adding a Concentrator to a Broker for aggregation, after entering the credentials the error message "Communication Fail" is displayed.
Cause
This issue generally occurs due to one of the reasons below.
This issue tends to occurs when a Concentrator has been re-imaged or replaced and needs to be added to the Broker again for aggregation.
When the Broker sends the initial "select/query" to scan/check the indexes, if there are too many (e.g. around 500+ slices) then it can cause that query from the Broker to time out on the Concentrator.
- Too many index slices on the Concentrator
- Network issues (e.g. firewall and/or routing problems)
This issue tends to occurs when a Concentrator has been re-imaged or replaced and needs to be added to the Broker again for aggregation.
When the Broker sends the initial "select/query" to scan/check the indexes, if there are too many (e.g. around 500+ slices) then it can cause that query from the Broker to time out on the Concentrator.
Resolution
It is first necessary to check the index slices on the Concentrator.
This can be done via the command line or via the Explore view in the Security Analytics UI.
Command Line
Security Analytics UI
To resolve the issue when a large number of slices are found, perform one of the options below.
Option 1
Perform a sizeRoll on the index which can be rolled out base on size, total space, or percentage.
Option 2
Perform an index reset on the Concentrator. This can take between 24 to 72 hours depending on the size of the database.
NOTE: When the re-indexing is in progress, no aggregation or investigation will be available.
Follow the steps below to perform an index reset via the command-line:
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.
This can be done via the command line or via the Explore view in the Security Analytics UI.
Command Line
- Connect to the Concentrator via SSH as the root user.
- Issue the command below to get a count of the total files and folder.
ll /var/netwitness/concentrator/index | wc -l
- If the result of the command above shows more than 500 files/folders the the old index needs to be rolled out or an index reset is required.
Security Analytics UI
- Log into the Security Analytics UI as a user with administrative permissions.
- Navigate to the Administration -> Services page.
- Click on the red Actions button for the Concentrator and click on View -> Explore.
- In the Explorer view, navigate to Index -> stats -> slices.total and verify the number.
Image description
To resolve the issue when a large number of slices are found, perform one of the options below.
Option 1
Perform a sizeRoll on the index which can be rolled out base on size, total space, or percentage.
Option 2
Perform an index reset on the Concentrator. This can take between 24 to 72 hours depending on the size of the database.
NOTE: When the re-indexing is in progress, no aggregation or investigation will be available.
Follow the steps below to perform an index reset via the command-line:
- Connect to the Concentrator via SSH as the root user.
- Stop the nwconcentrator service.
stop nwconcentrator
- Delete all files and folders in the /var/netwitness/concentrator/index directory.
rm -rf /var/netwitness/concentrator/index/*
- Start the nwconcentrator service again.
start nwconcentrator
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.
In this article
