RSA NetWitness Platform Known Issues

Document created by RSA Link Admin Employee on Feb 27, 2019Last modified by RSA Product Team on Jul 1, 2020
Version 171Show Document
  • View in full screen mode

To find out if any known issue is fixed, refer to the Fixed Issues section in the Release Notes for the appropriate release.

You can sort this list by clicking on the column headings.




ComponentsTitle, Problem and WorkaroundFound In / Exists InFixed VersionTracking Number
Log Decoder

Title: Log Decoder service crashes if changes are done to the log forwarding configuration fields logs.forwarding.enabled and logs.forwarding.destination
Problem: In Log Decoder, when you made any changes to log forwarding configuration fields logs.forwarding.enabled and logs.forwarding.destination, the changes are not written to /etc/netwitness/ng/NwLogdecoder.cfg file. Also, the Log Decoder service crashes and the core files are dropped in /var/netwitness/logdecoder/metadb.
Workaround: To resolve the issue, follow the below steps.

  1. Stop the Log Decoder service.
  2. Manually edit the NwLogdecoder.cfg file in /etc/netwitness/ng/.
  3. Restart the Log Decoder service.

Title: Test connection fails for Relay Server with Endpoint Log Hybrid.
Problem: Enhanced Version of openjdk for Relay Server prevents the communication to Endpoint Log Hybrid.
Workaround: To resolve the issue, follow the below steps.

  1. SSH to Relay Server.
  2. Run the following commands.
    rpm -e java-11-openjdk-
    rpm -e java-11-openjdk-headless-
  3. SSH to NW server (Node 0).
  4. From the /var/netwitness/common/repo/ location, copy the following file to the Relay Server.
  5. From the /var/netwitness/common/repo/ location, copy the following file to the Relay Server.
  6. SSH to Relay Server.
  7. Run the following commands to install the copied RPMs from the NW Server (Node 0).
    rpm -ivh java-11-openjdk-headless-
    rpm -ivh java-11-openjdk-
  8. Run the following command to verify the installation.
    rpm -qa | grep -i openjdk
  9. Restart the Relay Server.
UEBATitle: Incorrect object metadata is parsed in UEBA
Problem: The UEBA Object Name pivot link in the Investigate > Entities view is populated with an incorrect meta key. Due to this issue, no matching events are displayed when pivoting to the Events view because the query includes the meta key.
Workaround: Run the query without, group, and user source.
UEBATitle: Pivoting from the Entities view to the Events view with the event.time meta key results in a query with invalid event time.
Problem: When you query the event.time meta key on any UEBA pivot link in the Entities view, the query added to the query bar in the Events view has an invalid filter (marked by a red outline) for event.time expressing the time in EPOCH format, and the query cannot be submitted. A tooltip on the invalid query explains the problem, but the suggested solution does not work:
You entered '1585216020-1585216080'. Times must be quoted with single or double quotes.
Workaround: Copy the EPOCH time value and create a new free-form filter without quoting the EPOCH time. See "Add a Free-Form Filter" in the Investigate User Guide.

Title: Unable to upgrade the NW Server host to version using the Offline User Interface method.
Problem: When trying to upgrade the NW Server host by clicking Update Host in the NetWitness Platform User Interface, the packages are initialized but the upgrade fails with the message "Download error".

  1. In the Command Line Interface (CLI), SSH to the NW Server host.
  2. Run the following command:
    upgrade-cli-client –-upgrade --host-addr <IP of Netwitness Server> --version
  3. After the NW Server is successfully updated, log in to the NW Server host user interface and go to Admin > HOSTS, where you are prompted to reboot the host.
  4. Click Reboot Host from the toolbar.

You can update all the other hosts using the offline user interface method, following the instructions in "User Interface Method with No Connectivity to the Internet" in the Upgrade Guide for RSA NetWitness Platfrom 11.4.1.,

Title: Refocusing a value that contains the backslash (\) character in the Events view does not return results
Problem: From the Event meta panel or any other place in the Events view, no events are returned when you right-click and refocus a value that contains the backslash (\) character.
Workaround: Edit the query filters containing the backslash (\) character and apply the query.


Title: In the email reconstruction, the Download button for attachments is not enabled due to a filename mismatch
Problem: Clicking on attachments in the email reconstruction should enable the Download button, but there is sometimes a mismatch between the file hash in the user interface versus the database. In this case, the Download button is not enabled.
Workaround: Download the same file from file reconstruction.


Title: Paging through results while packets are rendered causes the new page to load fewer packets
Problem: In a packet reconstruction that includes the payload, paging through results while the page is loading causes the next page to show only partial results. For example, if an event has 3500 packets, page 3 will probably include packets 1001-1500. But if you paginate to page 3 from page 2 while page 2 is rendering data, page 3 may start from packet 1025 or even 1050.
Workaround: If you reload the page or page forward and come back to the page, everything will load fine.


Title: The Download menu in the Events view remains in the “Downloading…” state after a timeout during the download operation.

Problem: When downloading a large number of network events from the Events list, the Download menu remains in the Downloading state () and the jobs queue gives a status of Failed with the following error message:
Error retrieving PCAP from service: TransportException: Channel was instructed to close or stop waiting for a response, timeout error activated.

The user cannot download events in the Events view until the exception is cleared.

Workaround: To clear the exception and restore the Download menu, go to the Events view and refresh the browser window.

11.4.1,, 11.4ASOC-86905
NW ServerTitle: Malware service is displayed as offline in the user interface (UI).
Problem: In rare occasions, the Malware service is shown as offline in the UI, even though the service is working as intended.
Workaround: Restart the Jetty server by running the following command:
systemctl restart jetty
11.4.1,, 11.4ASOC-86631
Legacy Windows Collector

Title: WLC Cert renewal script does not run.

Problem: The WLC Cert Renewal Script, packaged as part of 11.4 and located at

/var/netwitness/root-ca- update/wlc/, should not be run. RSA plans to provide a fix in a future NetWitness Platform patch release.

Workaround: None, 11.4.1ASOC-87953
Event Stream Analysis

Title: Some ESA Rule Deployments migrated from versions before 11.3 can cause ESA Rule Deployment issues during the 11.4 upgrade.

Problem: Unused ESA rule deployments left over from the migration from the 10.6 or 11.2 legacy Event Stream Analysis service, which do not contain an ESA Correlation service, cause ESA rule deployments to not deploy after upgrading to NetWitness Platform 11.4.

Workaround: Before you upgrade to 11.4, delete ESA rule deployments that do not contain an ESA Correlation service. The remaining ESA rule deployments should have been deployed at least once with the ESA Correlation service.

To delete an ESA rule deployment:

  1. Go to Configure > ESA Rules > Rules tab.
  2. In the options panel to the left under Deployments, select the deployment that you want to remove.
  3. Select (Deployment menu icon) > Delete.
  4. Click Yes to confirm the delete.
Event Stream Analysis

Title: When a rule is shared between multiple ESA deployments, there is a discrepancy with the Enabled and Disabled ESA rule statuses after an upgrade
Problem: If an ESA rule is used in multiple deployments, then after an upgrade it is possible that the Enabled or Disabled status of that rule in those deployments may not be as expected.
Workaround: Check the ESA rule deployments that contain the rule and change the rule status as needed.
To change the ESA rule status in a deployment:

  1. Go to Configure > ESA Rules > Services tab.
  2. In the options panel to the left under ESA Services, select an ESA Correlation service.
  3. Click the tab for the deployment that contains the rule and in the Deployed Rule Stats section, select the rule.
  4. Change the rule status in the Status column by selecting either Enable or Disable above the table.
11.4.x, 11.3.xASOC-87858
Event Stream Analysis

Title: An ESA Rule Deployment name with a Colon (:) throws a failed to start stream error

Problem: If an ESA rule deployment name contains a colon (:), data aggregation fails to start during deployment.

Workaround: Edit the ESA rule deployment name to remove the colon (:) and then redeploy the deployment.

  1. Go to Configure > ESA Rules > Rules tab.
  2. In the options panel on the left, under Deployments, select a deployment.
    The Deployment view is displayed.
  3. Select (Deployment menu icon) > Edit.
    The deployment name is made available for editing.
  4. Remove the colon (:) from the deployment name.
  5. Click Deploy Now to redeploy the deployment.
    The changes take effect on ESA after the ESA rule deployment is redeployed.
Event Stream Analysis

Title: Esper metrics collection can impact performance in some environments with ESA rules that consume large amounts of memory.

Problem (11.4.0.x): Metric collection in Esper version 8.2.0 is different than the previous 7.1.0 version. For an ESA Correlation server with rules that consume a lot of memory, the gathering of metrics can consume significant CPU, leading to a drop in EPS when the metrics are being collected. To avoid the drop in EPS, the default interval to collect metrics in NetWitness Platform 11.4 is set to a very large value (999999 days). This prevents the Esper metrics from being collected.

Workaround (11.4.0.x): If you need metrics collected at a more frequent interval, you can update the background-metrics-frequency parameter on the ESA Correlation service. Do not set the metrics collection interval lower than 5 minutes.

  1. Go to Admin > Services, select the ESA Correlation service, and then select Actions (red gear) > View > Explore.
  2. In the Explore view node list on the left side, select correlation > esper.
  3. In the right panel, enter a new metrics collection interval value for background-metrics-frequency.
  4. Restart the ESA Correlation service.
    • From the UI, go to Admin > Services, select the ESA Correlation service, and then select Actions (red gear) > Restart.
    • From the command line, run: systemctl restart rsa-nw- correlation-server 

Problem (11.4.1): Metric collection in Esper version 8.2.0 is different than the previous 7.1.0 version. In a typical deployment, rule metrics calculation finishes very quickly, within seconds. If a rule uses a significant amount of memory, it may take a long time to calculate metrics. During this time, ESA Correlation does not analyze events and this will result in an overall EPS drop. ESA Correlation will attempt to calculate metrics for a maximum of 15 seconds (default) and if any rules have metrics which cannot be calculated in this time, an error will be shown in the logs and ESA Correlation will abort the calculation to avoid further EPS drop. This will result in a maximum of 15 seconds of analysis lost every 5 minutes (background-metrics-frequency).

Workaround (11.4.1): If you need metrics collected at a more frequent interval, you can update the background-metrics-frequency and metrics-timeout parameters on the ESA Correlation service.

For example, if you have a rule that is using a lot memory and it cannot be optimized, you can reduce the overall EPS drop by increasing the frequency and / or lowering the timeout.

  1. In NetWitness Platform, go to Admin > Services, select the ESA Correlation service, and then select Actions (red gear) > View > Explore.
  2. In the Explore view node list on the left side, select correlation > esper.
  3. In the right panel, you can change the background-metrics-frequency and /or the metrics-timeout parameter value.
  4. Restart the ESA Correlation service. 
    • From the UI, go to Admin > Services, select the ESA Correlation service, and then select Actions (red gear) > Restart.
    • From the command line, run: systemctl restart rsa-nw- correlation-server 



Event Stream Analysis

Title: Named Window with @RSAPersist is not retained after the upgrade to 11.4.x or 11.3.x.

 Problem: Data in Esper Named Windows persisted by enrichments and rules using the

@RSAPersist annotation is not restored after the upgrade to 11.4.x or 11.3.x. These data windows will be empty to start and will be populated with new data as it is processed.

Workaround: None

11.4.x, 11.3.xASOC-85928
Event Stream Analysis

Title: Recurring In-Memory Table enrichments are not updating.

Problem: Recurring In-Memory Table enrichments do not update when the .CSV file changes. If you use Ad Hoc In-Memory Tables, this is not an issue. 

Recurring In-Memory Table enrichments are no longer supported. It is preferable to use Context Hub List enrichment sources instead of In-Memory Table enrichment sources. You can share Context Hub List enrichment sources across the NetWitness Platform.

You can only use the In-Memory Table with ESA

 Workaround: Change your Recurring In- Memory Tables to Context Hub lists. For each Recurring In-Memory table, do the following:

  1. Delete your Recurring In-Memory Table.
  2. Create a Context Hub List with the same name so that you do not have to update the ESA rules.

For information on how to configure a Context Hub List as an enrichment source, see the Alerting with ESA Correlation Rules User Guide. Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents. 

11.4.x, 11.3.xASOC-86887

Title: When the NOT operator is used in Free-Form Mode without parenthesis, as in NOT medium = 1 vs NOT(medium = 1), the free-form query will fail.

Problem: When the NOT operator is placed before an expression like (NOT service = 80), Free-Form Mode is transforming the expression by adding an open parentheses in front of the expression following the NOT; this imbalances the query and produces an error.

Workaround: Use this syntax when creating a query in Free-Form Mode: NOT (service = 80). Also, be sure to fix any pre-query or query prefix that has the NOT operator in this form: (NOT service = 80) so that pivoting from Navigate to Events view does not break the flow.

Title: Packets are not rendered properly and the expected data is not displayed in the Events view packet reconstruction.

Problem: Sometimes when reconstructing larger events with multi-page data in the packet reconstruction, the request or response field is blank and no data is loaded.

Workaround: Click the Web reconstruction icon above the packet reconstruction. After the web reconstruction opens in the Legacy Events view, switch back to the packet reconstruction.

Title: The packet reconstruction being viewed does not have data loaded after leaving the Events view for the Hosts, Files, or Entities view, and then returns to the Events view using the Events option in the Investigate submenu.

Problem: If the packet reconstruction is open and the user moves away from Events view by clicking on the Hosts view, Files view, or Entities view, and comes back to the Events view by clicking Events in the Investigate submenu, there is an issue with the reconstruction. The previous query is executed, but the reconstruction that was open does not load the packet reconstruction as expected.

Workaround: Refresh the browser page.

TitleAfter upgrading to Version 11.4, there may be issues in the Navigate view and Legacy Events view because the column groups, meta groups, or profile groups permission is disabled for custom user roles.

ProblemWhen the column groups, meta groups, or profile groups permission is disabled for a user, the Load Values button is not displayed in the Navigate view. When column groups permission is disabled, there is an additional issue in the Legacy Events view: Only the Detail view is visible and you cannot select different views and column groups.

The issue occurs most frequently after upgrading to 11.4 because new built-in permissions are not automatically applied to custom user roles.

WorkaroundAfter completing the upgrade, the administrator needs to enable the

required permissions as described in the System Security and User Management Guide. Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents. 

A quick workaround for analysts: To load values in the Navigate view, you can select a different time range to load meta values. There is no workaround for the issue with the Legacy Events view.

Title: Unable to query meta keys with values and meta values are truncated for some characters like ®.

Problem: When some meta values include special characters like ®, analysts cannot drill down using that meta key in the Navigate view. Meta values are also truncated in the Events view.

Workaround: Remove the special character if creating a feed, or encode it properly at the source of the feed.

11.4.1,, 11.4ASOC-85375

Title: When initiating a download, Investigate fails to connect to the browser job tray and the download spinner remains indefinitely.

Problem: The download job fails to connect to the browser job tray, but the download job does initiate and can be retrieved from the link shown in the flash message at the top of the screen.

Workaround: Retrieve the download from the job queue under <Your Name> > Profile

> Jobs.

11.4.1, 11.4ASOC-50412
Log Decoder

Title: Log Decoder may not start data aggregation after upgrade.

Problem: There can be two reasons that Log Decoder may not start data aggregation:

  • Log Decoder service crashes due to higher index usage that leads to disk input or output issue before an index rollover occurs. This causes the Concentrator to fail and stop data aggregation because it was unable to retrieve first session from the Log Decoder.
  • Concentrator has frequent meta overflow alerts for some meta keys.

Workaround: In Log Decoder configuration, the parameter save.session.count=0 or

save.session.count=600000000, which was set by default in previous releases, must be set to AUTO.

  1. Go to Admin > Services and select a Log Decoder.
  2. Click Actions (red gear icon), and then click View > Explore.
  3. Click index > config.
  4. Change save.session.count to auto.
  5. Follow these steps to reset the index:
    1. In the Explore view, in the left pane, right-click the decoder folder and select Properties.
    2. Go to the bottom of the center pane, under Properties, in the drop-down menu, click the down arrow, and select reset.
    3. In Parameters, type index=1 and click Send.
      The service restarts and rebuilds the index.
11.4.x, 11.3.x, 11.2, 11.1Won't fixSADOCS-1784, SACE-12300
Endpoint Server

Title: Endpoint server is often found in Unhealthy state after a day of deployment.

Problem: If you are running an Endpoint Server in an environment that does not contain a Context Hub server, the file status and file reputation features will not work, and the status of the Endpoint Server shows Unhealthy in Health and Wellness. Other Endpoint features will work without the Context Hub Server.

Workaround: None


Title: Built-in charts are not enabled by default for multi analyst UI.

Problem: When the Admin enables the built-in dashboards on any node, the dashboards and the corresponding charts are enabled only on the selected node. On the other nodes, the corresponding built-in charts are not enabled by default. The built-in dashboards are enabled with an error message, "No active execution details available for chart (chart name)" displayed on the UI.

Workaround: The user must login as an Admin on every node and manually enable the built-in charts.


Title: When there are 100+ events in an alert, the scroll bar does not display all the alert information in a clear format.

Problem: The scroll bar is only partially visible when there are over 100 events in the Incident Details view Events List.

Workaround:  You can continue scrolling to see all of the information.

11.4.x, 11.3.xWon't fixASOC-71935
Audit Logging

Title: logstash does not reconnect to RabbitMQ if RabbitMQ is reset. 

Problem: If RabbitMQ is reset for any reason, logstash does not connect to RabbitMQ for aggregating Audit logs.

Workaround: Restart logstash to reconnect to RabbitMQ.


Title: Updating "Effective Date" daily causes scan schedules to restart.

Problem: The default EDR policy does not specify an effective date. If a policy for an agent does not specify the effective date, then the current date is used instead. This causes the group policy document to be updated every day with the new effective date. Any agent using the default effective date setting will then receive an updated policy every day, causing it to restart its scan schedule everyday and resulting in the agent scanning every day regardless of what the actual policy is.

Workaround: Edit the default EDR policy and add an effective date.




Title: Cannot orchestrate an additional component host if the NW Server host was upgraded to without an intermediate upgrade to

Problem: If you are upgrading your hosts from 11.0, 11.1, or 11.2 directly to, and you want to add a new host after the NW Server Host has been upgraded, the new host cannot be orchestrated.
Workaround: Refer to the Knowledge Base article located here:



Event Stream Analysis

Title: Aggregation stops on some Concentrators because of too many open files.

Problem: Occasionally, ESA Correlation will encounter an error when aggregating from a Concentrator resulting in a connection leak. Over time, this may result in the 'too many open files' error which will stop aggregation.

Workaround: You must restart the ESA Correlation service from the NetWitness Platform user interface.

  1. Log on to NetWitness Platform as Admin.
  2. Go to ADMIN > Services.
  3. Select the ESA Correlation service and then select the Actions icon > Restart.


Core Services

Title: Log Collector event processor does not get started after Log Decoder appliance reboot.
Problem: When you reboot Log Decoder appliance, the Log Collector event processor does not get started.
Workaround: To resolve this issue, do the following:

  1. Go to ADMIN > Services.
  2. Select a Log Collection service.
  3. Select the Actions icon > View > Config to display the Log Collection configuration parameter tabs.
  4. Click the Event Destinations tab.
  5. Select Log Decoder and click the Start icon.

ASOC- 83767

Event Stream Analysis

Title: Cannot Access Custom Esper Java Libraries
Problem: In NetWitness Platform version 11.3.x and 11.4.x, it is slightly more difficult to enable custom Esper Java libraries for those customers who have built their own EPL extensions in Java. For those customers, upgrading to 11.3.x or 11.4.x can create an issue with their alerts that previously used their custom EPL extensions. Without the extended rules (Esper + Java Libraries), customers do not have full visibility of some pattern detection which increases noise for their Analysts, decreasing their productivity.
Alternate Methods: For 11.3.x, see Knowledge Base article “000038138 - Cannot Access Custom Esper Java Libraries for RSA NetWitness Platform's Event Stream Analysis” at For 11.4, see 
Knowledge Base article “000038371 - Cannot Access Custom Esper Java Libraries for RSA NetWitness Platform's Event Stream Analysis” at

11.4, 11.3.xSee the KB articles.



Event Stream Analysis

Title: Unable to add data source for a custom user.
Problem: A custom user role with ESA permissions, which is migrated to NetWitness Platform 11.3 from version 11.2 or earlier, cannot add data sources to an ESA rule deployment. The “Manage ATD Settings” permission is required in 11.3 and later. The Administrator, SOC Manager, and DPO roles have the required permissions to deploy rules to run on ESA.
The “Manage ATD Settings” permission is confusing since it is shared with ESA Analytics. Both ESA Analytics and ESA Correlation require the “Manage ATD Settings” permission. In ESA Analytics, this permission enables the user to modify the ATD (Automated Threat Detection) settings. In ESA Correlation, this permission enables the user to add or view data sources for ESA rule deployments.

Workaround: Add the “Manage ATD Settings” permission on the Administration tab to the custom ESA user role to enable the users with that role to add or view data sources in ESA rule deployments.

To update a custom role with the Manage ATD Settings permission:

  1. Go to ADMIN > Security > Roles tab, select the custom role, and click 
  2. In the Permissions section, click the Administration tab.
  3. Select the Manage ATD Settings permission and click Save., fix is the documented workaround.



Event Stream Analysis

Title: Sample Enrichment ESA rules are being disabled on due to src_ip meta key error

Problem: In, the migrated Whitelist and Blacklist SAMPLE ESA rules use the src_ip meta key, which is invalid for 

Workaround: Edit the Whitelist and Blacklist SAMPLE rules to use ip_src:

  1. Go to CONFIGURE > ESA Rules > Rules tab.
  2. Double-click the “SAMPLE - Blacklist -From inside countries that are not the US, Non SMTP Traffic on TCP Port 25 Containing Executable” rule to edit it.
    1. In the Conditions section, select the “Non SMTP Traffic on TCP Port 25 Containing Executable” statement and click  to edit the statement.
    2. In the Build a Statement dialog, change the ipv4 key value from src_ip to ip_ src and click Save.
    3. In the Enrichments section, for GeoIP output, change the ESA Event Stream Meta value from src_ip to ip_src.
    4. Click Save to save the rule.
  3. Double-click the “SAMPLE - Whitelist -From outside of Germany, P2P Software as Detected by an Intrusion Detection Device” rule to edit it.
    1. In the Enrichments section, for GeoIP output, change the ESA Event Stream Meta value from src_ip to ip_src.
    2. Click Save to save the rule.


Event Stream Analysis

Title: Sometimes the status of an ESA rule deployment is incorrect.

Problem: When you deploy ESA rules, sometimes an error occurs that shows that the rules are disabled in the user interface (CONFIGURE > ESA Rules> Rules tab Deployment panel) when the ESA rule deployment is actually successful. Check the Services tab to see the actual status of the deployment.

Note: This issue is fixed in NetWitness Platform

Workaround: None.




Title: Default SSH timeout period 

Problem: In 11.3.1, there is a new default, three-minute timeout period for an SSH session (from the Browser or Console).  This brief timeout period may be inadequate for your needs.

Workaround: The following procedures are two options for changing this setting.

Disable the SSH Timeout Setting and Default to the Auth Timeout Setting
If you disable the SSH timeout setting, NetWitness Platform uses the auth timeout setting. The default value for the auth timeout setting is 10 minutes.
1. SSH to the NW Server host or use the Console from the NetWitness Platform User Interface.
2. Submit the following command string.
/opt/rsa/saTools/bin/manage-stig-controls --host-all --disable-control-groups 2

Remove the Timeout Setting (No Timeout for SSH)
If you disable both the SSH and Auth timeout settings, SSH sessions will not time out.
1. SSH to the NW Server host or use the Console from the NetWitness Platform User Interface.
2. Submit the following command string.
/opt/rsa/saTools/bin/manage-stig-controls --host-all --disable-control-groups 2,4, 11.3.2ASOC-80695
UpgradeTitle: Linux policy is not updated in the user interface after upgrading agents from 11.2.0 to 11.3.1.
Problem: In the NetWitness Platform user interface, Agent mode is displayed as INSIGHT after upgrading from 11.2.0 to 11.3.1. After scanning, Agent mode is moving to ADVANCED.
Workaround: None.

TitleThe default CEF and human-readable format audit templates are not updated after upgrading to 11.3.1.

Problem: In 11.3.1, notification templates were updated with additional fields. The updated templates are "Default Audit Human-Readable Format" and "Default Audit CEF Template." If you are using these templates, you must perform the steps below after you update to 11.3.1 to reflect the changes.

Workaround: Delete the default templates, restart the Jetty service, and reconfigure Global Auditing:

  1. Go to ADMIN > System > Notification template. Delete the "Default Audit Human-Readable Format" and "Default Audit CEF Template" templates.
  2. Run systemctl to restart Jetty.
  3. Reconfigure Global Auditing.
Event Stream Analysis

Title: Unable to delete an endpoint bundle from an ESA rule deployment
Problem: When creating an ESA rule deployment, if you add an Endpoint Risk Scoring Rule Bundle and then you decide to remove it from the deployment, you see the following error: Rule of type `Endpoint` is an internal rule and cannot be modified
Likewise, if an ESA rule deployment with an Endpoint Risk Scoring Rule Bundle is deployed, you cannot reuse the deployment by deleting the bundle and adding other ESA rules.
Workaround: Delete the ESA rule deployment containing the Endpoint Risk Scoring Rule Bundle and create a new ESA rule deployment. Do not combine the Endpoint Risk Scoring Rule Bundle with other ESA rules in the same deployment.


Title: Broker timeline does not render if Concentrator is offline.
Problem: The Investigate time-line graph is not displayed when one of the aggregated devices defined in Broker Configuration is offline.
Workaround: None

11.3.1, 11.3SACE-11365
Global Notifications

Title: Syslog server config updates are making entries in config.
Problem: Duplicate entries in rsa-audit-server- output.conf log file. If multiple changes in Global Notifications are made in a short time frame, NetWitness Platform appends multiple duplicate entries to the rsa-audit-server-output.conf file.


  1. Delete the duplicate entries from the rsa-audit-server- output.conf file.
  2. Go to ADMIN > System > Global Notifications.
  3. Select a notification server and click the Edit icon.
  4. Click Save.
    It takes about five minutes for the workaround to take effect.
11.3.1, 11.x11.4ASOC-59607

Title: UEBA Service displays incorrect version

Problem: After you update NetWitness Platform to 11.2.1, the ADMIN > Hosts view displays an incorrect UEBA version.

Workaround: Update the UEBA service:

  1. Go to ADMIN > Hosts.

  2. Select the UEBA host.

  3. Click Update > Update Host from the toolbar.

  4. Click Begin Update.,
Event Stream Analysis

Title: Meta keys marked as sensitive for Data Privacy are still included in notifications and alerts for some ESA rules.

Problem: In ESA rules that do not select every piece of metadata from the session (that is, using ‘select *’), you may see that data privacy (if enabled) and the Pivot to Investigate > Navigate link accessed from a context tooltip in Respond does not work.

Workaround: For 11.4, you can perform the steps that are documented in “Update any ESA Rule that Selects Only Certain Meta Keys from the Session to Include event_ source_id” in the Alerting with ESA Correlation Rules User Guide. Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents. 

Event Stream Analysis

Title: The available data sources in an ESA rule deployment show details of a deleted host.

Problem: If a Concentrator is added to the available data sources for ESA rule deployments and then the host is removed from the NetWitness server, you can still see that host in the available data sources list.

Workaround: Remove the host from the available data sources for ESA rule deployments and then redeploy any existing ESA rule deployments that were using that host.

To remove the host from the available configured data sources:

  1. Go to CONFIGURE > ESA Rules Rules tab.
  2. In the options panel on the left, select an ESA rule deployment.
  3. In the Deployment panel Data Sources section, click the Plus Sign.
  4. In the Available Configured Data Sources dialog, select the host that was removed from the NetWitness Server. The host should show a white circle (stopped service) instead of a green circle (running service). 
  5. Click the Minus Sign and then click Save.,

Title: Commands issued after pressing the Tab key are not captured in Powershell for Windows 10 version 1809

Problem: In Windows 10 version 1809, when you execute a command in Powershell and press the Tab key, the Powershell console events that are captured contain only the characters entered before pressing Tab. Also, some of the Powershell console events that are captured may contain repeated characters.

Workaround: None


Title: In the Event Analysis view, the query console does not replace the information icon with an error icon when a service is offline.

Problem: When a queried service is offline, the information icon in the query console should change to an error icon (red triangle with an exclamation point). The border of the query console border turns red, but the information icon does not change to a error triangle.

Workaround: None


Title: When retrieval of events for a query is in progress in the Event Analysis view, events that are already displayed disappear if the query takes more than 5 minutes to finish

Problem: This can happen when querying a large set of data with a query that includes expensive operations. The query is auto-canceled after a 5-minute timeout, and an error message is displayed.

Workaround: To avoid the timeout, change the query parameters to filter a smaller data set and re-execute the query.


Title: Matching files are not displayed in the Files tab if the file name in the event does not match the global file name.

Problem: From the Nodal Graph, when you pivot to Investigate > Hosts or Files tab for analyzing a file, if the file name in the event does not match with the global file name, no result is displayed in the Files tab.

Workaround: You must pivot to Investigate > Hosts or Files using the file hash.

  1. Go to RESPOND > Incidents.
  2. Click the ID (incident ID) associated with the file name.
  3. Click the Events List and search for the file name you want to analyze.
  4. Hover over on the file hash and click Pivot to Investigate > Hosts/Files.
11.4.x, 11.3.xASOC-73173

Title: Respond stats reset after update.

Problem: After an update from NetWitness Platform 11.2 to 11.3, Respond statistics are reset in the Incident Rules view (CONFIGURE > Incident Rules). The rule counter for matched alerts and incidents resets to zero and the Last Matched, Matched Alerts, and Incidents columns show only 11.3 values.

Workaround: None.

Note: This is fixed for updates from 11.3 to 11.3.x or 11.4.x, but is still an issue for updates from 11.2.x to 11.3.x.

11.3.x, 11.2.x11.3.1.1ASOC-72759

Title: Show proper message for Event Analysis not loading in a mixed-mode environment.

Problem: In a mixed-mode environment, when the Event Analysis does not load from the Respond Incident Details view, customers receive the following message: “An unexpected error has occurred attempting to retrieve this data.” Instead they should receive a message that this is expected behavior. Event Analysis requires all core services to be on NetWitness 11.1 or greater.

Workaround: None.,,, 11.2.x.x11.3.1.1ASOC-60463

Title: Deleting an alert in Respond is not updating the High-Risk User List in Threat Aware Authentication

Problem: Applicable to customers who have enabled Threat Aware Authentication. When Alerts associated with an open incident are deleted from the Alerts view (Respond > Alerts), the email addresses associated with the deleted alerts are not removed automatically from the SecurID’s high-risk users list.

Workaround: None, but you can manually remove the user details from the high-risk users list.,,

Title: ESA Rules with severity as High or Low are not populated in the RSA Archer user interface.

Problem: When ESA alerts with severity High or Low are forwarded to RSA Archer, the Security Alert Priority field is not populated in the RSA Archer user interface.

Workaround: None

11.4.x,11.3.x, 11.2.xARCHER-47100

Title: Generating and copying the *nwelcfg file does not update the timestamp.

Problem: After installing the Endpoint agent, if the administrator wants to update a new Log Collection configuration with any copy methods or with a third-party endpoint management tool, the config file timestamp remains as that of the Endpoint server time and not the agent time. As a result, if the endpoint agent is on a different timezone from the endpoint server, the timestamp does not get updated properly.

Workaround: After copying the file, run this command on the Endpoint Agent:
copy /b <filename.nwelcfg> +,,from the folder %programdata%\NWEAgent\ where the nwelcfg file is located.

Event Stream Analysis

Title: For ESA rules that use enrichment sources, the Ignore Case option does not work for first statement

Problem: When creating an ESA rule that uses any enrichment source, if the Ignore Case option is enabled on the first enrichment statement, no results are returned. Note that this issue does not apply to any statements after the first statement (that is, substatements).

Workaround: When creating a new rule, the Ignore Case option is now disabled. For existing rules that have the Ignore Case option enabled for an enrichment statement, the option is still enabled but users will be prompted to disable the option when opening the rule in ESA and then save the updated rule.

11.4.x, 11.3.x, 11.2.xASOC-49906

Title: When a large PCAP is extracted from the Events view, if it times out after 5 minutes, the query time is displayed as 8 hours in the Jobs tray error message.

Problem: When exporting a PCAP with ~100000 sessions from the Events view using Export > Export All PCAP, the download may fail due to the 5-minute packets call timeout. If the call times out, the error message in the Jobs tray incorrectly displays the timeout as 8 hours (28800000 ms).

Workaround: None.

Custom Feeds

Title: RSA Archer Recurring Feeds failing in SSL mode

Problem: RSA Archer recurring feeds do not work in SSL mode.

Workaround: You must create the RSA Archer recurring feeds in non-SSL mode.

11.4.x, 11.3.x, 11.2.xWon't fixARCHER-41524

Title: Nginx rejects post requests exceeding request size 1 MB

Problem: The Nginx server is upgraded and the default payload size is set to 1 MB. This causes any data post request exceeding 1 MB to fail.

Workaround: Add the following setting to the Nginx configuration file (/etc/nginx/conf.d/nginx.conf) and restart the Nginx server:

client_max_body_size 100M

Event Source Management

Title: SMS Service crashes with Out of Memory Error

Problem: On systems with a large number of active event sources, when the system cannot keep up with the processing of log statistics messages, the SMS service can crash with a java.lang.OutOfMemoryError: Java heap space error.

Workaround: If you experience this issue, please contact RSA support for details on how to address the issue.
Event Stream Analysis

Title: ESA CH rules get disabled during upgrade or ESA host reboot

Problem: If the ESA host restarts and Context Hub rules are deployed on ESA, the Context Hub rules may be disabled. This happens as a result of a race condition between the Context hub and Event Stream Analysis services startup order on the ESA host.

Workaround: To resolve this issue, do one of the following:

  • Go to the CONFIGURE > ESA Rules > Services tab and enable the disabled rules that are dependent on Context Hub.
  • Restart the Event Stream Analysis service.
Event Stream Analysis

Title: Case-sensitive sorting is not working properly in the ESA All Rules grid

Problem: When rule names begin with lower and upper case letters, the sort does not work properly in the Rule Name column of ESA All Rules grid. For example, "Rule 1" is not followed by "rule 2" when you sort by name.

Workaround: None

11.3.1, 11.3, 11.2Won't fixSAENG-3605

Title: Users who have not been assigned investigate-server* permission do not get the proper error message explaining why they do not have access to the Event Analysis view

Problem: If the administrator has not assigned investigate-server* permission for a user, the user should see the permission denied error when attempting to view a session in the Event Analysis view. Instead, the internal server error is returned.

Workaround: None.


Title: In the Event Analysis view, log and network events are not interleaved

Problem: Network and log events are interleaved and sorted in time order in the Events view, but in the Event Analysis view, events are sorted differently. In the Event Analysis view, the events are not interleaved as they should be; instead all log events sorted in time order are displayed before all network events sorted in time order.

Workaround: Use the Events view to see interleaved network and log events.


Title: Imported Investigate profiles are not displayed in the Profiles drop-down menu

Problem: When you import Profiles to the Navigate view or the Events view using the Manage Profiles dialog, the newly imported profiles are not added to the Profiles drop-down menu.

Workaround: Refresh the browser window to see the recently added profiles.


Title: If the URL for a drill point is very long and you use the query in the Event Analysis view, an error (414 Request error) is returned

Problem: Several situations create a very long query that the browser cannot handle, especially if you are using Internet Explorer, which has a much lower character limit than most browsers. Pivoting to Event Analysis from Reporting can result in a very long query, and a number of pivots in the Navigate view can create a very long query.

Workaround: Continue to work in the Navigate view or Events view when the URL becomes too long to render in the Event Analysis view.


Title: When all alerts are deleted for an alert rule, the filter for the rule is not properly removed

Problem: In the Alerts List view (Respond > Alerts), you can filter alerts by Alert Name and then delete all of the alerts that have that name. If you do not remove the alert name filter after deleting the alerts, the next time the Alerts List view loads, the filter will still be in place, but it will no longer be visible as a checkbox in the Filters panel because all alerts with that name have been deleted. You will continue to see zero results when visiting the Alerts List view.

Workaround: Before you refresh or reload the Alerts List view, you can remove the filter by clearing the checkbox by the alert name. If you already refreshed or reloaded the Alerts List view, the only way to remove the hidden filter is to press the Reset Filters button, which removes all filters, including the hidden alert name filter.


Title: When the proxy is configured, and NetWitness Platform is updated to 11.2, the license details do not get refreshed automatically.

Problem: When the proxy is configured, and NetWitness Platform is updated to 11.2, the license details do not get refreshed automatically or even after clicking the Refresh button in the License Details view. This is because the communication to the license server is not established.

Workaround: The administrator has to manually download the license details using the offline mode and upload latest license details through the RSA NetWitness Platform UI. For more information, see the Licensing Management Guide for RSA NetWitness Platform.





Title: STIX recurring feed fails on upgrade from 10.6.6 to 11.2

Problem: When you upgrade Security Analytics 10.6.6 to RSA NetWitness Platform 11.2, the STIX Recurring feed you created using HTTPS URL fails to work. This is because, in 10.6.x, by default, all the certificates are trusted. However, this is not the case in 11.2. In 11.2, the Trust All certificates option is provided and is disabled by default.

Workaround: Navigate to Configure > Custom Feeds and edit the failed feed. Either enable the Trust all option, or upload a valid SSL certificate to resolve the issue. In case of any further queries, contact the RSA Customer Support.


Title: After you upgrade to or, the logstash files are not updated in the logstash output configuration file

Problem: When you upgrade from 10.6.x.x to or, logstash files are not updated in the logstash output configuration file. This happens when you have a global audit setup.

Workaround: If global auditing is configured, you need to edit one of the syslog entries in the Global Notifications servers and click Save to apply the latest Audit log configuration.


Title: The investigation links are disabled for static charts during 10.6.x.x to 11.1 or 11.2 post-upgrade.

Problem: The investigation link is disabled for the static chart (the result of the report is in chart format) which has the datasource as RSA NetWitness Platform-Broker (This service is available by default).

Workaround: There are two workarounds for this issue:

  • The rules that have the result in static chart can be viewed in Tabular format and the investigation works as expected.
  • Or you can perform the following steps to fix the issue:
    1. Delete and add the RSA NetWitness Platform-Broker again as the datasource to Reporting Engine with the same name.
    2. If the reports with static chart are scheduled reports, then in the next run, the investigation link will work as expected.
    3. If the report is an Adhoc report then, then re-run the report for getting the investigation links.