This section provides information about possible issues when using NetWitness Endpoint.
Some of the hosts or files data are not displayed when Endpoint Broker is selected for querying.
While querying, the Endpoint Broker ignores the Endpoint servers that are offline, and shows the result of Endpoint server that is online, only if the Endpoint server responds with in 10 seconds. The Endpoint Broker ignores the query if Endpoint server does not respond with in 10 seconds.
The Endpoint Agent is unable to communicate with the Endpoint Server. The connection may not be established due to any of the following issues:
The Endpoint Agent is unable to communicate with the Log Decoder. The connection may not be established due to any of the following issues:
Hosts View Issues
|Message||An error has occurred. The Endpoint Server may be offline or inaccessible.|
|Issue||When attempting to access the Hosts or Files view, the view opens with the message.|
Endpoint Server or Nginx Server is not running. Check the status of the Endpoint Server under ADMIN > Service or check if the Endpoint Server host IP address is registered with the Admin Server. For more information, see the Physical Host Installation Guide or Virtual Host Installation Guide. If the service is not running, start the Endpoint Server.
The Hosts and Files views do not load in the Safari browser.
When you open the Ember pages in the Safari browser with a non-trusted SSL certificate, the Hosts and Files views do not load. To load the views.
|Message||No process information was found.|
|Issue||When attempting to access the Process or Libraries tab in the Host Details view, the detailed host information is not available, and the view opens with the message.|
Scan data is not available due to any of the following reasons:
|Behavior||Meta values take time to load.|
|Issue||Meta values are not set to index by values.|
During investigation, while pivoting to the Navigate or Event Analysis view from the Files view, if the filename or hash (SHA256 and MD5) are not set to index by values, the matching results take time to load because the Concentrator must generate the index by accessing the meta database and retrieving value of the meta for each event. You have to manually index the values before pivoting.
|Issue||Filtering files takes a longer time to load results.|
In the Files view, while filtering files with the Contains operator, the results takes a few seconds to load on the UI. You must use at least one indexed field with the Equals operator while filtering the files.
|Issue||Unable to analyze events from Investigate > Hosts and Files view.|
Other than Broker or Concentrator, if any aggregation service, such as Archiver, is aggregating data from the Log Decoder that is configured for metadata forwarding from any Endpoint server, clicking Analyze Events from Hosts and Files view for this Endpoint server may not work. To resolve this issue:
|Issue||Policy status in the Policy Details panel is not updated or shows Policy Unavailable/Permission Required.|
Policy Unavailable - Hosts belong to previous versions, such as NetWitness Platform 11.1 or 11.2, where a policy is not applied.
Permission Required - If you do not have permissions, see the "Role Permissions" topic in the System Security and User Management Guide.
|Issue||Policy Status shows error.|
Policy may have wrong configurations. Check the error description, logs in Endpoint server, and audit logs for details. Contact your system administrator with the error details.
|Issue||While loading the driver on the host, an error is encountered.|
Check the driver error code. Contact your system administrator with the error code.
File Reputation Service Issue
|Issue||When you configure RSA Live for the first time and the File Reputation service is not connected.|
You must manually enable the File Reputation service. To enable the File Reputation service:
Risk Scoring for Hosts or Files Issue
|Issue||NetWitness Endpoint takes a long time to process risk scoring for Hosts or Files.|
Check the backlog of alerts for risk scoring.