Article Number
000039904
Applies To
RSA Product Set: RSA NetWitness Logs & Network
RSA Product/Service Type: Archiver
RSA Version/Condition: 11.x
O/S Version: 7
Issue
It is noticed that the Archiver service continues to stop the aggregation process.
The issue continues after stopping/starting the aggregation or toggling the source log decoder(s) on and off from the Archiver's Config page.
/var/log/messages on the Archiver shows a failure as below after the most recent Archiver service restart.
OCT 2 09:52:28 Archiver NwArchiver[26407]: [Index] [failure] boost::filesystem::rename: File exists: "/var/netwitness/archiver/database0/default/index/assimilate/managed-values-2369", "/var/netwitness/archiver/database0/default/index/managed-values-2369"
Cause
The issue can occur when the archiver has a duplicate index slice under /var/netwitness/archiver/databaseX/<Collection Name>/index/assimilate/.
This duplicate index slice contains only a partial data and is redundant to the one under /var/netwitness/archiver/databaseX/<Collection Name>/index/.
Resolution
To resolve the issue, move or delete the duplicate index slice(e.g.
/var/netwitness/archiver/database0/default/index/assimilate/managed-values-2369) from the reported folder by following the steps below.
- SSH into the Archiver host.
- Stop the Archiver service.
systemctl stop nwarchiver - Move or delete the duplicate index slice in the assimilate folder.
e.g.
mv /var/netwitness/archiver/database0/default/index/assimilate/managed-values-2369 /tmp
OR
rm -rf
/var/netwitness/archiver/database0/default/index/assimilate/managed-values-2369 - Start the Archiver service.
systemctl start nwarchiver
