Skip to content
  • There are no suggestions because the search field is empty.

RSA NetWitness Archiver fails to aggregate due to a duplicate file

Issue

It is noticed that the Archiver service continues to stop the aggregation process.
The issue continues after stopping/starting the aggregation or toggling the source log decoder(s) on and off from the Archiver's Config page.

/var/log/messages on the Archiver shows a failure as below after the most recent Archiver service restart.
OCT 2 09:52:28 Archiver NwArchiver[26407]: [Index] [failure] boost::filesystem::rename: File exists: "/var/netwitness/archiver/database0/default/index/assimilate/managed-values-2369", "/var/netwitness/archiver/database0/default/index/managed-values-2369"


Cause

The issue can occur when the archiver has a duplicate index slice under /var/netwitness/archiver/databaseX/ /index/assimilate/.
This duplicate index slice contains only a partial data and is redundant to the one under /var/netwitness/archiver/databaseX/ /index/.

Resolution

To resolve the issue, move or delete the duplicate index slice(e.g. /var/netwitness/archiver/database0/default/index/assimilate/managed-values-2369) from the reported folder by following the steps below.
  1. SSH into the Archiver host.
  2. Stop the Archiver service.
    systemctl stop nwarchiver
  3. Move or delete the duplicate index slice in the assimilate folder.
    e.g.
    mv /var/netwitness/archiver/database0/default/index/assimilate/managed-values-2369 /tmp
    OR
    rm -rf
    /var/netwitness/archiver/database0/default/index/assimilate/managed-values-2369
  4. Start the Archiver service.
    systemctl start nwarchiver

     

Product Details

RSA Product Set: RSA NetWitness Logs & Network
RSA Product/Service Type: Archiver
RSA Version/Condition: 11.x
O/S Version: 7

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue