.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
How to increase active consumers for any collection method in RSA NetWitness Platform
Issue
When Collector receiving huge incoming from an event source, Collection queue will have messages pending as below.
[root@LDecoder ~]# rabbitmqctl list_queues -p logcollection consumers name messages
Listing queues
4 LogDecoder.logdecoder.checkpoint 0
1 LogDecoder.logdecoder.windows 0
1 LogDecoder.logdecoder.snmptrap 0
1 LogDecoder.logdecoder.cmdscript 0
1 LogDecoder.logdecoder.syslog 0
1 LogDecoder.logdecoder.odbc 0
1 LogDecoder.logdecoder.file 2915245
1 rabbitmq.log 0
1 LogDecoder.logdecoder.sdee 0
1 LogDecoder.logdecoder.vmware 0
1 LogDecoder.logdecoder.windowslegacy 0
1 LogDecoder.logdecoder.netflow 0
Listing queues
4 LogDecoder.logdecoder.checkpoint 0
1 LogDecoder.logdecoder.windows 0
1 LogDecoder.logdecoder.snmptrap 0
1 LogDecoder.logdecoder.cmdscript 0
1 LogDecoder.logdecoder.syslog 0
1 LogDecoder.logdecoder.odbc 0
1 LogDecoder.logdecoder.file 2915245
1 rabbitmq.log 0
1 LogDecoder.logdecoder.sdee 0
1 LogDecoder.logdecoder.vmware 0
1 LogDecoder.logdecoder.windowslegacy 0
1 LogDecoder.logdecoder.netflow 0
The above output shows file collection has too many files to process by consumer.
Cause
This issue occurs when high incoming from event sources. One consumer may not be sufficient to process the high incoming events.
Resolution
Please follow the below steps to increase the consumer count.- Please navigate to Log Collector->Explore view.
- Expand event-processors->logdecoder->eventsources->queue.
- Select Collection method which has pending messages.
- On the right-hand side locate max_receivers and change the value from 1 to higher.
Note: max_receivers 10 would be a better number if high incoming is there. There may be other collection methods come up with pending messages due to less consumers during the same time. Please increase max_receivers using the same steps. - Post increasing, max_receivers, Please verify using the below command. The output shows consumers changed to 10 and pending messages count reduced to lower to earlier.
[root@LDecoder ~]# rabbitmqctl list_queues -p logcollection consumers name messages
Listing queues
10 LogDecoder.logdecoder.checkpoint 28125
1 LogDecoder.logdecoder.windows 0
1 LogDecoder.logdecoder.snmptrap 0
1 LogDecoder.logdecoder.cmdscript 0
1 LogDecoder.logdecoder.syslog 0
1 LogDecoder.logdecoder.odbc 0
10 LogDecoder.logdecoder.file 2734380
1 rabbitmq.log 0
1 LogDecoder.logdecoder.sdee 0
1 LogDecoder.logdecoder.vmware 0
1 LogDecoder.logdecoder.windowslegacy 0
1 LogDecoder.logdec
Listing queues
10 LogDecoder.logdecoder.checkpoint 28125
1 LogDecoder.logdecoder.windows 0
1 LogDecoder.logdecoder.snmptrap 0
1 LogDecoder.logdecoder.cmdscript 0
1 LogDecoder.logdecoder.syslog 0
1 LogDecoder.logdecoder.odbc 0
10 LogDecoder.logdecoder.file 2734380
1 rabbitmq.log 0
1 LogDecoder.logdecoder.sdee 0
1 LogDecoder.logdecoder.vmware 0
1 LogDecoder.logdecoder.windowslegacy 0
1 LogDecoder.logdec
Notes
Note: Investigate the cause for high incoming By filtering query device.ip with a huge count. Check with the device owner if the log traffic can be corrected. If traffic is genuine, Collector EPS crossing desired level. Please Normalise the traffic by deploying additional Collector.Once Traffic is normal, Please revert changes to set consumer as 1 as previously.
Product Details
RSA Product Set: NetWitness PlatformRSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.X
Platform: CentOS
O/S Version: 7
Summary
This document outlines the procedure to increase the consumers for Collection.
Approval Reviewer Queue
RSA NetWitness Suite Approval Queue