000037187 - SMTP Alerts failing due to an unreachable SMTP server in RSA NetWitness Endpoint 4.4.x

Document created by RSA Customer Support Employee on Feb 22, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037187
Applies ToRSA Product Set: NetWitness Endpoint
RSA Product/Service Type: ConsoleServer, SMTP
RSA Version/Condition: 4.4.x
Platform: Windows
IssueWhen the SMTP server is not reachable, is down or otherwise not operating correctly, alerts may be generated and sent but never reach their intended destination.

When this happens, no messages are sent to analysts for triggered IIOC events. A method to try and recover these alerts needs to be documented for recovering those emails.
CauseThere are many, simple reasons for this happening, including network errors, SMTP server powered down or unstable, or issues on the ConsoleServer that prevent the emails from being sent.
ResolutionThe RSA NetWitness Endpoint server has a daily maintenance schedule that runs Monday-Thursday and a deep cleaning that runs Friday-Saturday. During either of these maintenance periods, if a compiled alert is marked as processed by the SQL database, these events will be purged as part of the daily maintenance process to clear space on the SQL server. So there is a relatively short window to try and recover these emails. To search for existing emails:

SELECT
ca.EventData
FROM
dbo.CompiledAlerts AS ca WITH(NOLOCK)

 

This will provide a binary blob that can be converted from hex into readable format. To do so requires a conversion tool such as Hexplorer to convert into the appropriate format. It is not in a nice output like the emails, but is readable and would provide the output expected in those emails.


 
WorkaroundOther than the above method, there is no other method to recover sent email alerts that have failed to reach their destination address.

Attachments

    Outcomes