NetWitness ContextHub service stopping while deploying STIX feed

Issue

While deploying STIX feed using Create a STIX Custom Feed, Context Hub Service stops immediately with below error.

/var/log/netwitness/contexthub-server/contexthub-server.log

 2020-08-06 05:13:40,453 [unchMessageListenerContainer-7] ERROR c.r.a.l.e.t.LaunchMessageListenerContainer|Consumer thread error, thread abort.
 
 java.lang.OutOfMemoryError: Java heap space
 
at java.util.Arrays.copyOf(Arrays.java:3332)
 
at java.lang.AbstractStringBuilder.ensureCapacityInternal(AbstractStringBuilder.java:124)
 
at java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:448)
 
at java.lang.StringBuilder.append(StringBuilder.java:136)
 
at com.rsa.asoc.contexthub.enrichment.stix.api.ParseRequest.toString(ParseRequest.java:16)
 
at java.lang.String.valueOf(String.java:2994)

Cause

This issue is due to feed file is above 300 MB size

Workaround

Please use below workarounds.
1. Ensure feed contents are <6 months old.
2. Ensure feed file size is below 300 MB.

If the issue still persists after applying above workarounds, please decrease the number of parallel threads available for processing STIX:

Go to Admin > Services > Context Hub service > View > Explore.
In the tree panel, go to enrichment/stix/ config.
In the right panel, set the stix-query-scheduler-pool-size field value to 2. By default the value is 5. This setting controls how many threads are allowed to process queries for STIX data at the same time.
Set the taxii-poll-scheduler-pool-size field value to 2. By default the value is 5. This setting controls how many threads are allowed to poll TAXII servers at the same time.
Restart the Context Hub server.

Product Details

RSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Context Hub Service
RSA Version/Condition: 11.X
Platform: CentOS
O/S Version: 7

Summary

This document outlines the workaround details for contexthub service stop issue.

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue