.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Issue
When a failed concentrator is brought back online (for reason inspecific) without its previous meta set, the concentrator may fail to reasonably catch up to the decoder due to the sheer volume of decoder data (several terabytes, for example). In circumstances such as this, a practical solution is to establish a reasonable amount of metadata that the concentrator will be able to consume based on time.
Resolution
Please note: changes to the timeRoll settings prunes data based on time on the decoder. Once the data is pruned it is no longer available.
How to use the timeRoll parameter on a packet decoder
timeRoll will prune data in the db based on time in either hours or days.From the NW UI (any 10.X/11.X version),
- Select the Explorer view on the appliance, select Database.
- Right click on Database and choose Properties.
- On the lower section of the screen will be the section Properties for Decoder (decoder)/database.
- Click on the pulldown next to Parameters.
- By default, ls the option, click on the pulldown and select timeRoll. For example:
- In the parameter window, enter a database value to pass to timeRoll.
- Example 1: timeroll of Metadb based off of date
type=meta date="2019-08-11 12:30:00"
..prunes meta earlier than August 11, 2019 12:30:00 .
Output: Removed 10 meta files.
..prunes meta earlier than August 11, 2019 12:30:00 .
Output: Removed 10 meta files.
- Example 2: timeroll of Metadb based off of 10 days
type=meta days=10
..prunes meta earlier than 10 days
Output: Removed 1 meta files.
Output: Removed 1 meta files.
Product Details
RSA Product Set: Security Analytics, NetWitnessRSA Product/Service Type: Concentrator, Decoder
RSA Version/Condition: 10.x , 11.x
Summary
This article describes one condition and resolution where a concentrator is unable to catch up to a decoder.
Approval Reviewer Queue
RSA NetWitness Suite Approval Queue