Endpoint: Troubleshooting NetWitness Endpoint

Document created by RSA Information Design and Development on Apr 11, 2019Last modified by RSA Information Design and Development on Sep 5, 2019
Version 5Show Document
  • View in full screen mode
 

This section provides information about possible issues when using NetWitness Endpoint.

General Issues

             
Issue

Some of the hosts or files data are not displayed when Endpoint Broker is selected for querying.

Solution

While querying, the Endpoint Broker ignores the Endpoint servers that are offline, and shows the result of Endpoint server that is online, only if the Endpoint server responds with in 10 seconds. The Endpoint Broker ignores the query if Endpoint server does not respond with in 10 seconds.
You must increase the query timeout value to see the result of Endpoint server that is online. Perform the following:

  1. Go to ADMIN > Endpoint Broker service.
  2. Click > View > Explore.
  3. Click endpoint/broker node.
  4. In the query-timeout field increase the value, for example, 30 seconds.

 

             
Issue

The Endpoint Agent is unable to communicate with the Endpoint Server. The connection may not be established due to any of the following issues:

  • UDP
  • HTTP
  • Firewall
Solution
  • To verify the UDP or HTTP connection, you must verify the connection between Windows Endpoint Agent and Endpoint Server:
    1. Go to System32 folder using the following command:

      cd C:\Windows\System32

    2. Execute the following command:

      <Agent Service name>.exe /testnet

      For example, NWEAgent.exe /testnet

  • If the issue is with the firewall, check the incoming and outgoing firewall rules.

 

             
Issue

The Endpoint Agent is unable to communicate with the Log Decoder. The connection may not be established due to any of the following issues:

  • UDP
  • HTTP
  • Firewall
Solution
  • To verify the UDP or HTTP connection, you must verify the connection between Windows Endpoint Agent and the Log Decoder:
    1. Go to System32 folder using the following command:

      cd C:\Windows\System32

    2. Execute the following command:

      <Agent Service name>.exe /testlognet

      For example, NWEAgent.exe /testlognet

  • If the issue is with the firewall, check the incoming and outgoing firewall rules.

 

             
IssueAfter you update to 11.3 and try to delete the meta forwarding configuration of the Log Decoder that you have configured in 11.1.x.x or 11.2.x.x, the Log Decoder configuration is not deleted and automatically starts the meta forwarding. Therefore, you will not be able to configure a new Log Decoder for meta forwarding.
Solution

You must stop the meta forwarding for the existing Log Decoder, add the new Log Decoder service using nw-shell and start the meta forwarding. Perform the following steps:

  1. Go to ADMIN > Services, select the Endpoint Server service.

  2. Click and select > View > Config.
  3. In the General tab, Endpoint Meta view, select the Log Decoder service.
  4. Click
  5. On the NW server, run the nw-shell command from the command line.
  6. Run the login command and enter the credentials.
  7. Connect to the Endpoint Server using the following command:
    connect --service endpoint-server.<service-id>
  8. Run the following commands:
    cd endpoint/meta/logdecoder-host
    set <log-decoder-ip>
  9. Go to ADMIN > Services, select the Endpoint Server service.
  10. Click and select > View > Config.
  11. In the General tab, Endpoint Meta view, select the new Log Decoder service.
  12. Click .

Hosts View Issues

                 
MessageAn error has occurred. The Endpoint Server may be offline or inaccessible.
IssueWhen attempting to access the Hosts or Files view, the view opens with the message.
Explanation

Endpoint Server or Nginx Server is not running. Check the status of the Endpoint Server under ADMIN > Service or check if the Endpoint Server host IP address is registered with the Admin Server. For more information, see the Physical Host Installation Guide or Virtual Host Installation Guide. If the service is not running, start the Endpoint Server.

 

             
Issue

The Hosts and Files views do not load in the Safari browser.

Explanation

When you open the Ember pages in the Safari browser with a non-trusted SSL certificate, the Hosts and Files views do not load. To load the views.

  1. Click the Show Certificate pop-up menu.
  2. Enable the Always trust NetWitness when connecting to <IP Address> checkbox.
  3. Click Continue.
  4. Enter your username and password.
  5. Click Update Settings.

 

                 
MessageNo process information was found.
IssueWhen attempting to access the Process or Libraries tab in the Host Details view, the detailed host information is not available, and the view opens with the message.
Explanation

Scan data is not available due to any of the following reasons:

  • First time scan is not complete.

  • Data retention policy has deleted all scan snapshots.

Files View Issues

                 
BehaviorMeta values take time to load.
IssueMeta values are not set to index by values.
Explanation

During investigation, while pivoting to the Navigate or Event Analysis view from the Files view, if the filename or hash (SHA256 and MD5) are not set to index by values, the matching results take time to load because the Concentrator must generate the index by accessing the meta database and retrieving value of the meta for each event. You have to manually index the values before pivoting.

 

             
IssueFiltering files takes a longer time to load results.
Explanation

In the Files view, while filtering files with the Contains operator, the results takes a few seconds to load on the UI. You must use at least one indexed field with the Equals operator while filtering the files.

 

             
IssueUnable to analyze events from Investigate > Hosts and Files view.
Explanation

Other than Broker or Concentrator, if any aggregation service, such as Archiver, is aggregating data from the Log Decoder that is configured for metadata forwarding from any Endpoint server, clicking Analyze Events from Hosts and Files view for this Endpoint server may not work. To resolve this issue:

Note: To get the investigate-service-id:
1) Go to ADMIN > Concentrator service.
2) Click > View > Explore tab.
3) Expand the sys/stats node list.
4) In the UUID filed, copy the value.

  1. Go to ADMIN > Endpoint Server service.
  2. Click > View > Explore tab.
  3. In the endpoint/investigate field, specify the investigate-service-id.

Policy Issue

             
IssuePolicy status in the Policy Details panel is not updated or shows Policy Unavailable/Permission Required.
Explanation

Policy Unavailable - Hosts belong to previous versions, such as NetWitness Platform 11.1 or 11.2, where a policy is not applied.

Permission Required - If you do not have permissions, see the "Role Permissions" topic in the System Security and User Management Guide.

 

             
IssuePolicy Status shows error.
Explanation

Policy may have wrong configurations. Check the error description, logs in Endpoint server, and audit logs for details. Contact your system administrator with the error details.

Driver Issue

             
IssueWhile loading the driver on the host, an error is encountered.
Explanation

Check the driver error code. Contact your system administrator with the error code.

File Reputation Service Issue

             
Issue When you configure RSA Live for the first time and the File Reputation service is not connected.
Solution

You must manually enable the File Reputation service. To enable the File Reputation service:

  1. Go to ADMIN > System > Live Services.
  2. In the Additional Live Services section, select the enable File Reputation check box.
  3. Click Apply.

Risk Scoring for Hosts or Files Issue

             
Issue NetWitness Endpoint takes a long time to process risk scoring for Hosts or Files.
Solution

Check the backlog of alerts for risk scoring.

  1. SSH to the ESA Primary appliance.

  2. Execute the following command:

    mongo respond-server --authenticationDatabase admin -u deploy_admin -p <deploy_admin_password> --eval 'db.staging.find({"$or":[{state:"STAGED"},{state :"WORKING"}]}).count()' --quiet

    The backlog count is displayed. If the backlog count is 1 million or greater, you must disable the risk scoring and Endpoint ESA alerts.

  3. To disable risk scoring:

    1. Go to ADMIN > Respond service.

    2. Click > View > Explore.
    3. Expand the respond/scheduled/jobs node list.

    4. In the risk-scoring-enabled field, set the value to false.
  4. To disable Endpoint ESA alerts:

    1. To disable NetWitness Endpoint ESA alerts generation for severity; Critical, High and Medium.

      1. Go to CONFIGURE > ESA Rules.

        The Configure view is displayed with the Rules tab open.

      2. In the Options panel, under Deployments, select the Endpoint deployment to delete.
        A confirmation dialog is displayed.

      3. Click Yes.
    2. To disable only Medium severity NetWitness Endpoint ESA alerts:
      1. Go to ADMIN > ESA Correlation service (on which Endpoint deployment is added).
      2. Click > View > Explore.
      3. Expand the correction/alert node list.
      4. In the transient-enabled field, set the value to false.

Previous Topic:Analyzing Events
You are here
Table of Contents > Troubleshooting NetWitness Endpoint

Attachments

    Outcomes