Article Number
000001714
Applies To
RSA Product Set: RSA NetWitness Logs & Network
RSA Product/Service Type: Decoder, Log Decoder
RSA Version/Condition: 10.4.x, 10.5.x, 10.6.x, 11.x
Platform: CentOS
Issue
After clicking on the
Start Capture from
Decoder ->
View ->
System, the popup of "Capture will be started" appears, and after few seconds it reverts back from "Stop Capture" to "Start Capture" and the capture never starts.
An error message similar to the example below appears in the /var/log/messages file on the Decoder.
Aug 8 05:43:53 decoder [1022]: [Decoder] [warning] Meta database free space threshold exceeded (/var/netwitness/logdecoder/metadb, 87.95 MB free), capture is stopping. Please check drive and configuration.
Cause
One or more of the databases' partitions on the appliance are full.
Resolution
To resolve the issue, follow the steps below.
- Connect to the appliance via SSH as the root user.
- Run "df -kh" and check the output for metadb, sessiondb, packetdb partitions usage.
If you found one of them exceeded 95% as shown in the example below, then perform the following steps.
[root@LogDecoder /]# df -kh
/dev/mapper/VolGroup00-ldecmeta
300G 300G 14M 100% /var/netwitness/logdecoder/metadb
- Navigate to the appropriate directory.
[root@LogDecoder /]# cd /var/netwitness/logdecoder/metadb
- Check for old core files.
[root@LogDecoder metadb]# ls -rtlh | grep -i core
-rw-------. 1 root root 4.3G May 24 05:43 core.3114
-rw-------. 1 root root 5.2M May 24 05:43 core.33784
-rw-------. 1 root root 14G Sep 14 03:45 core.48582
- Delete the old core files to free up some space.
[root@LogDecoder metadb]# rm -rf core.3114 core.33784 core.48582
- Try to "start capture" again from the user interface.
- If a new core file is created, move the core file to a different location and contact RSA Customer Support in order to temporarily stop core file creation and so so that the core file can be analyzed to identify the root cause of the issue.
