Skip to content
  • There are no suggestions because the search field is empty.

Logdecoder service shows initialization error after sudden power failure in RSA Security Analytics

Issue

Logdecoder Service shows "Initialization error" in Logdecoder->System page. This error may not allow Capture to start.

Below errors indicate a problematic database file.
/var/log/messages: 
Sep 22 11:01:38 XXXX nw[14675]: [MetaSerializer] [warning] Meta typename lookup failed for index 384 - FileStream /var/netwitness/logdecoder/metadb/meta-000000133.nwmdb pos: 163705292 size: 156.59 MB, using typename serialize.error
Sep 22 11:01:38 XXXX nw[14675]: [Packet] [failure] Meta maximum size has been exceeded serialize.error - FileStream /var/netwitness/logdecoder/metadb/meta-000000133.nwmdb pos: 163705292 size: 156.59 MB.
Sep 22 11:01:38 XXXX nw[14675]: [Engine] [warning] Module logdecoder failed to load: Meta maximum size has been exceeded serialize.error - FileStream /var/netwitness/logdecoder/metadb/meta-000000133.nwmdb pos: 163705292 size: 156.59 MB. Diagnostic information: /home/hudson/workspace/ng-10.2-linux-tagged-r
 
 


Cause

This is due to corrupted database files during sudden power failure of server.


Resolution

Please follow the below steps to fix the issue.
  1. Login to putty of Logdecoder.
  2. Check /var/log/messages to know the corrupted database file details as mentioned in this KB. Generally, that file would be the last database file written to that directory.
  3. Stop the service using stop nwlogdecoder command.
  4. Move the corrupted database file to a different location.
    Sample commands:
    cd /var/netwitness/logdecoder/metadb/
    mv meta-000000133.nwmdb /root/
  5. Start the service using start nwlogdecoder command.
  6. Login to GUI and Verify the Administration->Services-> Logdecoder->System page as no "initialization error" now. Start Capture on the same page.

Product Details

RSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Packet Decoder, Log Decoder
RSA Version/Condition: 10.6.X

Summary

In some circumstances, the core database files may corrupt due to sudden reboot of servers. This can fixed by moving the corrupted files to different location.


Approval Reviewer Queue

RSA NetWitness Suite Approval Queue