.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Cannot add Concentrator to Broker in RSA Security Analytics
Issue
The concentrator may not be added to Broker successfully and errors out with "communication error".
Cause
Still not confirmed but could be related to large number of index slices (fragmentation) on the Hybrid appliance for the Concentrator.
Workaround
If re-indexing the Concentrator is currently not possible, you can try out the following workaround:
- Login to NetWitness UI
- Under Admin > Services, Select the Concentrator that is failing to be added to Broker
- Security > admin > Query Time out > change it from 60 minutes to 1 minute
- Now go to Broker > Config
- Add the Above concentrator to Broker
- If Concentrator added successfully, refresh the page to see it’s in “consuming” state
- You may need to stop/start aggregation if showing “online” state
- After Concentrator is added successfully, go back to step 2 and change the parameter “Query Time out” back to 60 minutes
Resolution
The optimal resolution is to reduce the retention policy on the Hybrid appliance and re-index the concentrator.
Product Details
NetWitness Product Set: NetWitness Platform
NetWitness Product/Service Type: Concentrator, Broker
NetWitness Version/Condition: 12.x
Platform: CentOS/Alma Linux
Approval Reviewer Queue
Technical approval queue