Error message Meta database free space threshold exceeded prevents capturing from starting on an RSA NetWitness decoder

Issue

After clicking on the Start Capture from Decoder -> View -> System, the popup of "Capture will be started" appears, and after few seconds it reverts back from "Stop Capture" to "Start Capture" and the capture never starts.

An error message similar to the example below appears in the /var/log/messages file on the Decoder.

Cause

One or more of the databases' partitions on the appliance are full.

Resolution

To resolve the issue, follow the steps below.

1. Connect to the appliance via SSH as the root user.
2. Run "df -kh" and check the output for metadb, sessiondb, packetdb partitions usage.

If you found one of them exceeded 95% as shown in the example below, then perform the following steps.
 

1. Navigate to the appropriate directory.
   [root@LogDecoder /]# cd /var/netwitness/logdecoder/metadb
2. Check for old core files.
   [root@LogDecoder metadb]# ls -rtlh | grep -i core
   -rw-------. 1 root root 4.3G May 24 05:43 core.3114
   -rw-------. 1 root root 5.2M May 24 05:43 core.33784
   -rw-------. 1 root root  14G Sep 14 03:45 core.48582
3. Delete the old core files to free up some space.
   [root@LogDecoder metadb]# rm -rf core.3114 core.33784 core.48582
4. Try to "start capture" again from the user interface.
5.  If a new core file is created, move the core file to a different location and contact RSA Customer Support in order to temporarily stop core file creation and so so that the core file can be analyzed to identify the root cause of the issue.

Product Details

RSA Product Set: RSA NetWitness Logs & Network
RSA Product/Service Type: Decoder, Log Decoder
RSA Version/Condition: 10.4.x, 10.5.x, 10.6.x, 11.x
Platform: CentOS

Summary

After clicking on Start Capture, it shows the popup as Capture will be started. But there is no change in status.

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue