Skip to content
  • There are no suggestions because the search field is empty.

Unable to Download Exported PCAP, Log, File, or Meta if Size is Greater than 1GB from RSA NetWitness Platform

Issue

Unable to download an exported PCAP, Log, File, or Meta if the export size is greater than 1 GB in the NetWitness Platform User Interface.


Cause

One of the web servers used but the NetWitness Platform, Nginx, has a default configuration for the parameter proxy_max_temp_file_size.  With the default configuration, Nginx cannot provide files greater than 1024 MB (1 GB) in size.

Resolution

To allow Nginx to provide exports that are larger than 1 GB in size the parameter proxy_max_temp_file_size must be disabled. This parameter is used by Nginx to determine the maximum size an export can be. The proxy_max_temp_file_size specifically represents the maximum size a Nginx temporary file can be when the item being provided is larger than the proxy buffer.

The proxy_max_temp_file_size parameter must be set to 0 to disable the size limit and allow larger than 1 GB export downloads to occur.

The disabling of the proxy_max_temp_file_size parameter may negatively affect the User Interface rendering and download performance.

Before proceeding with the following steps, SSH into the NetWitness Server (Admin/UI) and view the Nginx error log, /var/log/nginx/error.log. Verify that the following error is present within the log file. If the log entry is found, proceed with the following steps, otherwise consult Continued Engineering or other troubleshooting sources as the issue being experienced may not be related to the proxy buffer size.

upstream prematurely closed connection while reading upstream

If the log entry above was found in the Nginx error.log file perform the following steps to disable the proxy_max_temp_file_size parameter.

  1. SSH into the NetWitness Server (Admin/UI).
  2. Open the /etc/nginx/nginx.conf with a text editor such as vi
# vi /etc/nginx/nginx.conf
  1. Search for the proxy_max_temp_file_size parameter.
  • If the parameter is found, change the value to 0 and save the file.
  • If the parameter does not exist in the file, add it to the file with the value of 0 and save.
proxy_max_temp_file_size 0;
  1. Restart the Nginx service to have the change take effect.
# systemctl restart nginx
Example of nginx.conf with the proxy_max_temp_file_size parameter.
http {
include /etc/nginx/mime.types;
default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
proxy_max_temp_file_size 0; <------ PARAMETER TO CHANGE
keepalive_timeout 65; #gzip on;
include /etc/nginx/conf.d/*.conf;
}

Product Details

RSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: NetWitness Server (Admin/UI)
RSA Version/Condition: 11.x 
Platform: CentOS 7

Summary

User has created a PCAP, Log, File, or Meta export operation but is not able to download the export if it is over 1GB in size.


Approval Reviewer Queue

RSA NetWitness Suite Approval Queue