Skip to content
  • There are no suggestions because the search field is empty.

Concentrator service fails to start when filename.size is changed from Int32 to Int64 in the index.concentrator-custom.xml file in RSA Security Analytics 10.6.5

Issue

After upgrading to RSA Security Analytics 10.6.5, the concentrator service will not start when filename.size is changed from Int32 to Int64 in the  index.concentrator-custom.xml file.  The format must be set back to Int32 in order for the service to start. 

The filename.size parameter was recently added in the index-concentrator-custom.xml file with the size of Int32 as part of the RSA Security Analytics 10.6.5 release.

Cause

The issue occurs because the filename.size parameter has already been defined in the index-concentrator-custom.xml file with a different value than what was added as the default value (Int32).

Based on rules in the code, the customer can override some values of a key, but the data type is not one of them.  Since the parameter was already defined as Int64 then, at the point at which the index-concentrator.xml file was updated, the service failed to start.

Workaround

The index-concentrator.xml file defines the data type being added to the database, and the data type is not allowed to be overridden. This is due to the issues that would arise if a user already has data collected as one data type, but later decides to change the data to something different. The customer is able to change other values such as Index type (IndexValues vs IndexKeys), flags, or  max values.

In RSA Security Analytics 10.6.5, the format of filename.size in the  index.concentrator-custom.xml file has to be set back to Int32 from Int64 in order for the service to start.

Notes

  • The table-map.xml file on the Log Hybrid defines filename.size as Int64 and transient and sets the format of this meta to Int64 by default.
  • The table-map-custom.xml file on the Log Hybrid defines filename.size as Int64 and none.
  • The index-concentrator.xml file defines filename.size as Int32 and changes the format to Int32 with no error.
  • The filename.size parameter was added to the index-concentrator.xml file in RSA Security Analytics 10.6.5 with a default value of Int32.

Product Details

RSA Product Set: RSA NetWitness Logs & Packets, Security Analytics
RSA Product/Service Type: Concentrator
RSA Version/Condition: 10.6.5
Platform: CentOS 6

Summary

This issue is new to 10.6.5: if the change defining filename.size from Int32 to Int64 in the index-concentrator.xml file is attempted, the Concentrator service will not start.


Approval Reviewer Queue

RSA NetWitness Suite Approval Queue