.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Archiver does not aggregate new sessions in real time in RSA NetWitness Platform
Issue
Archiver does not aggregate new sessions in real-time. The Aggregate Devices tab in the Archiver configuration screen shows a rate of 0 and the status consuming.No data is being written to the Archiver's database folder.
The archiver starts to aggregate again if either of the following action is performed:
- The Log Decoder has switched to offline then online again.
- The Log Decoder service itself is restarted. The device is then switched back online (after the nwlogdecoder service restart, it shows up as offline on the Archiver config page).
After aggregation completes, Archiver does not consume anything else until the actions above are performed.
Cause
This is not an issue or a bug, but instead is a reflection of the Archiver's 'nice' aggregation feature.
By default, aggregate.nice is set to 1 (enabled). This option indicates that Archiver will NOT aggregate the latest packet/meta/sessions files from Logdecoder unless Logdecoder has finished the files and marked them read-only.
Resolution
In order to let Archiver aggregate close to real-time, set /archiver/config/aggregate.nice=0 in the Explore view for the device. Doing so ensures that Archiver will always aggregate new data from the Log Decoder.
Notes
There is a performance consideration in setting aggregate.nice=1, to allow the Logdecoder to simultaneously serve the Archiver/Warehouse Connector/Concentrator.
Product Details
RSA Product Set: NetWitness PlatformRSA Product/Service Type: Archiver, Log Decoders
RSA Version/Condition: 11.x 12.x
Approval Reviewer Queue
Technical approval queue