.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
RSA NetWitness Unable to deploy large RSA Live feeds to multiple Log Decoders or Packet Decoders
Issue
- This article is useful when you have multiple Log Decoders and/or Packet Decoders and you want to deploy (subscribe) to RSA Live feeds with sizes more than 150MB. An example would be "Third Party IOC Domains" feed which has a size of 300MB.
- You will notice a degradation in performance of the UI and general slowness.
- The feeds deployment will fail and time-out.
Cause
Deploying a feed to a large group of target Log Decoder(s) and/or Packet Decoder(s) with a size greater than 150+ MB. An instance of this is if we want to deploy a 200MB feed to 30 decoders that would be a total traffic of 6GB and hence the UI server connection will more than likely time-out during deployment of such feed(s).
Resolution
- SSH to your UI server with "root" credentials.
- stop the web UI service, using command stop jettysrv
- Edit the file /etc/default/jetty using "vi" utility and add this line to the file:
-Dcom.rsa.netwitness.carlos.client.nw.timeout.addpipe=90000
- Upon saving this line, the file should look as follows:
[root@sa-server ~]# cat /etc/default/jetty
# file: '/etc/default/jetty' must be present when jettyuax is installed
export LD_LIBRARY_PATH=/usr/bin/lic
JETTY_HOME=/opt/rsa/jetty9
DB_DEFRAG_ALWAYS=false
JAVA_OPTIONS="-Djava.awt.headless=true -Dcom.rsa.netwitness.carlos.LOG_ENABLE_SYSOUT=true -Dcom.netwitness.platform.DB_DEFRAG_ALWAYS=${DB_DEFRAG_ALWAYS} -Dcom.rsa.netwitness.carlos.client.nw.timeout.addpipe=90000 -Xms1G -Xmx2G -XX:MaxMetaspaceSize=256m -Djdk.tls.ephemeralDHKeySize=2048 -Djavax.net.ssl.keyStore=/opt/rsa/carlos/keystore"
JAVA_OPTIONS="${JAVA_OPTIONS} -XX:+OptimizeStringConcat -XX:+UseLargePages -XX:+UseG1GC"
# file: '/etc/default/jetty' must be present when jettyuax is installed
export LD_LIBRARY_PATH=/usr/bin/lic
JETTY_HOME=/opt/rsa/jetty9
DB_DEFRAG_ALWAYS=false
JAVA_OPTIONS="-Djava.awt.headless=true -Dcom.rsa.netwitness.carlos.LOG_ENABLE_SYSOUT=true -Dcom.netwitness.platform.DB_DEFRAG_ALWAYS=${DB_DEFRAG_ALWAYS} -Dcom.rsa.netwitness.carlos.client.nw.timeout.addpipe=90000 -Xms1G -Xmx2G -XX:MaxMetaspaceSize=256m -Djdk.tls.ephemeralDHKeySize=2048 -Djavax.net.ssl.keyStore=/opt/rsa/carlos/keystore"
JAVA_OPTIONS="${JAVA_OPTIONS} -XX:+OptimizeStringConcat -XX:+UseLargePages -XX:+UseG1GC"
- Restart the UI service, using command: start jettysrv
- Make sure that the UI service is running properly using command: status jettysrv
Product Details
RSA Product Set: NetWitness Logs and PacketsRSA Product/Service Type: UI Server
RSA Version/Condition: 10.6.x.x
Platform: CentOS
Approval Reviewer Queue
RSA NetWitness Suite Approval Queue