.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
NetWitness Broker not Consuming from Concentrators/Hybrids
Issue
The Broker has stopped aggregating from the attached Concentrator service in the Broker View -> config screen and it is falling behind. Attempts to toggle the service or to restart the aggregation have failed.Cause
The connection between the Broker and down-stream Concentrators or Brokers needs to be re-established so that the Broker can resume aggregation.
Resolution
- Login to Admin UI -> Services.
- Select the Broker -> View config -> General -> Aggregate services -> Remove the Concentrator or Broker services.
- SSH to the Broker appliance.
- Restart the nwbroker service.
- Use systemctl status nwbroker to ensure that the broker service is running.
# systemctl stop nwbroker
# systemctl start nwbroker
# systemctl status nwbroker
# systemctl start nwbroker
# systemctl status nwbroker
- Login to the Admin UI -> Services -> select the Broker -> View Config -> General -> Aggregate services -> Add the Concentrator or Broker services back.
- If this does not address the issue long term, please contact NetWitness Support for further assistance.
Notes
Removing the Concentrators will not cause any data loss, as the Broker doesn't actually contain any database files. It will take a few minutes for the Broker to re-create the indices, after which everything will back to normal.
Product Details
NetWitness Product Set: NetWitness PlatformNetWitness Product/Service Type: Broker
NetWitness Version/Condition: 11.x, 12.x
Platform: CentOS / AlmaLinux
OS Version: 7 / 8.9
Approval Reviewer Queue
Technical approval queue