Article Number
000001358
Applies To
RSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Concentrator
RSA Version/Condition: 11.4.x, 11.5.x
Platform: CentOS
O/S Version: 7
Issue
Concentrator's Config page shows 'consuming' status but the rate remains at 0 with a high session behind the count. Clicking the 'Start Aggregation' button does not start the aggregation.
/var/log/messages show an error like below.
Nov 25 22:50:11 Concentrator NwConcentrator[1762]: [Data] [failure] rule: expected a comma-separated list of quoted string ranges or values or a comma-separated list of keys
Nov 25 22:50:11 Concentrator NwConcentrator[1762]: [Data] [failure] Throw in function nw::CorrelationDefinition nw::{anonymous}::parseCorrelationRule(nw::CorrLang&, const nw::StringParams&)Dynamic exception type: boost::exception_detail::clone_impl<nw::LogicError>std::exception::what: rule: expected a comma-separated list of quoted string ranges or values or a comma-separated list of keys[boost::errinfo_at_line_*] = 575
Nov 25 22:50:11 Concentrator NwConcentrator[1762]: [Thread] [info] Stopped thread: Correlation Work id: 3439
Nov 25 22:50:11 Concentrator NwConcentrator[1762]: [Aggregation] [info] Aggregation has started
Cause
The aggregation will not start when the concentrator service has one or more of Correlation Rules with invalid syntax.
Browsing to Concentrator->Config->Correlation Rules tab will show rules that have deprecated or invalid syntax.
Resolution
In order to resolve the issue, please perform the following.
- Stop the concentrator service
systemctl stop nwconcentrator
- Make a backup of the current NwConcentrator.cfg file.
cp /etc/netwitness/ng/NwConcentrator.cfg /root/
- Modify NwConcentrator.cfg to remove the invalid Correlation Rule(s).
vi /etc/netwitness/ng/NwConcentrator.cfg
Note: The Correlation Rules are located under the following line.
<folder name="correlation" instance="folder">
- Start the concentrator service.
systemctl start nwconcentrator
