Incident Rule Failing in NetWitness 12.3.1 and Below

Issue

In NetWitness Platform versions 12.3.1 and below, the Respond Server may become unresponsive or fail to create incidents. The respond-server.log shows error messages such as:

"Error running aggregation rule"
"Sort exceeded memory limit."

The exact error message in the respond-server.log appears as follows:

 ERROR IncidentManagement|Error running Aggregation Rule 'Security Incidents'
 
org.springframework.data.mongodb.UncategorizedMongoDbException: Command failed with error 292 (QueryExceededMemoryLimitNoDiskUseAllowed): 'Error in $cursor stage :: caused by :: Sort exceeded memory limit of 33554432 bytes, but did not opt in to external sorting. Aborting operation. Pass allowDiskUse:true to opt in.' on server <UUID>:27017. The full response is {"ok":0.0, "errmsg":"Error in $cursor stage :: caused by :: Sort exceeded memory limit of 33554432 bytes, but did not opt in to external sorting. Aborting operation. Pass allowDiskUse:true to opt in."}

Cause

This issue is due to an exception related to the MongoDB aggregation query. The aggregation query attempts to sort data but exceeds the default memory limit of 32 MB. Since it does not opt in to external sorting (disk use), the operation aborts.

Resolution

Follow these steps to fix the issue:

SSH to ESA Primary box
Stop the mongod service:
service mongod stop
Open /etc/mongod.conf in a text editor.
Adjust the following parameter to the next higher memory value in bytes. If it is set to 32 MB, try 64 MB next:
internalQueryMaxBlockingSortMemoryUsageBytes: 67108864
Start the mongod service:
service mongod start

Product Details

NetWitness Product Set: NetWitness Platform
NetWitness Product/Service Type: Platform
NetWitness Version/Condition: 12.3.1 and below

Approval Reviewer Queue

Technical approval queue