.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Issue
The aggregation between concentrator and Log decoder repetitively fails with the following errors:
Apr 1 13:20:28 salhybrid nw[25224]: [Aggregation] [failure]
Failed to initialize device '10.210.49.9:50002' because The length of the value (2051) exceeds the maximum allowed length (2048) for device.invalid.sessions. Device aggregation is being stopped.
Apr 1 13:21:43 salhybrid nw[25224]: [Aggregation] [info] Device '10.210.49.9:50002' is being initialized
Apr 1 13:21:47 salhybrid nw[25224]: [Aggregation] [info] Local database found last session for device '10.210.49.9:50002' at session '34437868633'
Apr 1 13:21:47 salhybrid nw[25224]: [Aggregation] [info] Device '10.210.49.9:50002' is querying for exact session time
Apr 1 13:21:47 salhybrid nw[25224]: [Aggregation] [info] Session time query returned exact time of 03/31/2016 08:19:32 PM UTC
Apr 1 13:21:47 salhybrid nw[25224]: [Aggregation] [info] Last time query returned time of 03/31/2016 08:19:32 PM UTC
Apr 1 13:21:47 salhybrid nw[25224]: [Aggregation] [info] Attempting to invalidate sessions using local DB range 1-34437886793
Apr 1 13:21:47 salhybrid nw[25224]: [Aggregation] [info] Device '10.210.49.9:50002 registered invalid sessions ending at 34443150373 but last consumed session was 34437868633 so trimming invalid ranges.
Apr 1 13:21:47 salhybrid nw[25224]: [Aggregation] [failure] Failed to initialize device '10.210.49.9:50002' because The length of the value (2051) exceeds the maximum allowed length (2048) for device.invalid.sessions. Device aggregation is being stopped.
Apr 1 13:24:02 salhybrid nw[25224]: [Aggregation] [audit] User admin (session 1697, 10.210.49.10:39653) has issued a stop aggregation command
Apr 1 13:24:02 salhybrid nw[25224]: [Aggregation] [info] Aggregation is stopping
Apr 1 13:24:02 salhybrid nw[25224]: [Aggregation] [info] Aggregation threads are being shutdown
Apr 1 13:24:02 salhybrid nw[25224]: [Aggregation] [info] Aggregation databases have been flushed
Apr 1 13:24:03 salhybrid nw[25224]: [Aggregation] [info] Aggregation indexes have been saved
Trying to aggregate, under Concentrator->Config->Aggregate Services it is stuck with the Status "failure"
Apr 1 13:21:43 salhybrid nw[25224]: [Aggregation] [info] Device '10.210.49.9:50002' is being initialized
Apr 1 13:21:47 salhybrid nw[25224]: [Aggregation] [info] Local database found last session for device '10.210.49.9:50002' at session '34437868633'
Apr 1 13:21:47 salhybrid nw[25224]: [Aggregation] [info] Device '10.210.49.9:50002' is querying for exact session time
Apr 1 13:21:47 salhybrid nw[25224]: [Aggregation] [info] Session time query returned exact time of 03/31/2016 08:19:32 PM UTC
Apr 1 13:21:47 salhybrid nw[25224]: [Aggregation] [info] Last time query returned time of 03/31/2016 08:19:32 PM UTC
Apr 1 13:21:47 salhybrid nw[25224]: [Aggregation] [info] Attempting to invalidate sessions using local DB range 1-34437886793
Apr 1 13:21:47 salhybrid nw[25224]: [Aggregation] [info] Device '10.210.49.9:50002 registered invalid sessions ending at 34443150373 but last consumed session was 34437868633 so trimming invalid ranges.
Apr 1 13:21:47 salhybrid nw[25224]: [Aggregation] [failure] Failed to initialize device '10.210.49.9:50002' because The length of the value (2051) exceeds the maximum allowed length (2048) for device.invalid.sessions. Device aggregation is being stopped.
Apr 1 13:24:02 salhybrid nw[25224]: [Aggregation] [audit] User admin (session 1697, 10.210.49.10:39653) has issued a stop aggregation command
Apr 1 13:24:02 salhybrid nw[25224]: [Aggregation] [info] Aggregation is stopping
Apr 1 13:24:02 salhybrid nw[25224]: [Aggregation] [info] Aggregation threads are being shutdown
Apr 1 13:24:02 salhybrid nw[25224]: [Aggregation] [info] Aggregation databases have been flushed
Apr 1 13:24:03 salhybrid nw[25224]: [Aggregation] [info] Aggregation indexes have been saved
Trying to aggregate, under Concentrator->Config->Aggregate Services it is stuck with the Status "failure"
Tasks
Restart the aggregation between Concentrator and LogDecoder to have as result under Concentrator->Config->Aggregate Services "consuming"
Resolution
In order to restart the aggregation follow these steps work around :
From the LogDecoder switch to the explorer view go to /decoder/config/recovery then right click and press properties and then type as following:
device="DEVICE_NAME_INSIDE_THE_DOUBLE_QUOTE:50005" key="sessions.invalid" value=""
Refer to this screenshot for further details:
Notes
If the issue comes back try to apply the steps another time.Product Details
RSA Product Set: Security AnalyticsRSA Product/Service Type: Log Decoder
RSA Version/Condition: 10.x
Platform: CentOS
Summary
The length of the value (2051) exceeds the maximum allowed length (2048) for device.invalid.sessions. Unable to start aggregation between LogDecoder and concentrator.
Approval Reviewer Queue
ASOC Approval Group