|Applies To||RSA Product Set: NetWitness Logs & Network|
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 22.214.171.124
|Issue||RSA Endpoint Insight's Agent has a known bug related to the processing of blank event fields, as seen in Forwarded Events with missing fields. The result is events do not get processed, and log collection ceases to process altogether.|
|Cause||The root cause is related to error codes associated with blank fields. This is known as error code 13:|
There is a second reason this happens, which is that events are not processed following the first error seen out of the batch of events(in this case, triggered by error 13 but could be caused by any other error). The cause of this is documented in notes in the associated JIRA.
|Resolution||There are two possible methods to resolve this issue. The first is to install the version of Netwitness Endpoint Insights that is a part of the 11.3.x release cycle. Any version of 11.3.x will have this fix.|
The second is to install a hotfixed version that includes the fix associated with the agent. As these versions are engineering hotfixes, a case should be opened with support to request this fix if 11.3 is not possible to upgrade to.
NOTE: Whether an upgrade is chosen to fix this issue, or a hotfixed agent is used, replacing all existing agents with a new version will be necessary in all instances.