.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
NetWitness Concentrator fails to start aggregation due to an invalid rule
Issue
Concentrator's Config page shows 'consuming' status but the rate remains at 0 with a high session behind the count. Clicking the 'Start Aggregation' button does not start the aggregation./var/log/messages show an error like below.
Nov 25 22:50:11 Concentrator NwConcentrator[1762]: [Data] [failure] rule: expected a comma-separated list of quoted string ranges or values or a comma-separated list of keys
Nov 25 22:50:11 Concentrator NwConcentrator[1762]: [Data] [failure] Throw in function nw::CorrelationDefinition nw::{anonymous}::parseCorrelationRule(nw::CorrLang&, const nw::StringParams&)Dynamic exception type: boost::exception_detail::clone_impl<nw::LogicError>std::exception::what: rule: expected a comma-separated list of quoted string ranges or values or a comma-separated list of keys[boost::errinfo_at_line_*] = 575
Nov 25 22:50:11 Concentrator NwConcentrator[1762]: [Thread] [info] Stopped thread: Correlation Work id: 3439
Nov 25 22:50:11 Concentrator NwConcentrator[1762]: [Aggregation] [info] Aggregation has started
Nov 25 22:50:11 Concentrator NwConcentrator[1762]: [Data] [failure] Throw in function nw::CorrelationDefinition nw::{anonymous}::parseCorrelationRule(nw::CorrLang&, const nw::StringParams&)Dynamic exception type: boost::exception_detail::clone_impl<nw::LogicError>std::exception::what: rule: expected a comma-separated list of quoted string ranges or values or a comma-separated list of keys[boost::errinfo_at_line_*] = 575
Nov 25 22:50:11 Concentrator NwConcentrator[1762]: [Thread] [info] Stopped thread: Correlation Work id: 3439
Nov 25 22:50:11 Concentrator NwConcentrator[1762]: [Aggregation] [info] Aggregation has started
Cause
The aggregation will not start when the concentrator service has one or more of Correlation Rules with invalid syntax.Browsing to Concentrator->Config->Correlation Rules tab will show rules that have deprecated or invalid syntax.
Resolution
In order to resolve the issue, please perform the following.- Stop the concentrator service
systemctl stop nwconcentrator
- Make a backup of the current NwConcentrator.cfg file.
cp /etc/netwitness/ng/NwConcentrator.cfg /root/
- Modify NwConcentrator.cfg to remove the invalid Correlation Rule(s).
vi /etc/netwitness/ng/NwConcentrator.cfg
Note: The Correlation Rules are located under the following line.
- Start the concentrator service.
systemctl start nwconcentrator
Product Details
NetWItness Product Set: RSA NetWitness PlatformNetwitness Product/Service Type: Concentrator
NetWitness Version/Condition: 11.x, 12,x
Platform: CentOS / AlmaLinux
O/S Version: 7
Approval Reviewer Queue
Technical approval queue