Endpoint: Troubleshooting NetWitness Endpoint

Document created by RSA Information Design and Development on Apr 11, 2019
Version 1Show Document
  • View in full screen mode
 

This section provides information about possible issues when using NetWitness Endpoint.

General Issues

             
Issue

Some of the hosts or files data are not displayed when Endpoint Broker is selected for querying.

Solution

While querying, the Endpoint Broker ignores the Endpoint servers that are offline, and shows the result of Endpoint server that is online, only if the Endpoint server responds with in 10 seconds. The Endpoint Broker ignores the query if Endpoint server does not respond with in 10 seconds.
You must increase the query timeout value to see the result of Endpoint server that is online. Perform the following:

  1. Go to ADMIN > Endpoint Broker service.
  2. Click > View > Explore.
  3. Click endpoint/broker node.
  4. In the query-timeout field increase the value, for example, 30 seconds.

 

             
Issue

The Endpoint Agent is unable to communicate with the Endpoint Server. The connection may not be established due to any of the following issues:

  • UDP
  • HTTP
  • Firewall
Solution
  • To verify the UDP or HTTP connection, you must verify the connection between Windows Endpoint Agent and Endpoint Server:
    1. Go to System32 folder using the following command:

      cd C:\Windows\System32

    2. Execute the following command:

      <Agent Service name>.exe /testnet

      For example, NWEAgent.exe /testnet

  • If the issue is with the firewall, check the incoming and outgoing firewall rules.

 

             
Issue

The Endpoint Agent is unable to communicate with the Log Decoder. The connection may not be established due to any of the following issues:

  • UDP
  • HTTP
  • Firewall
Solution
  • To verify the UDP or HTTP connection, you must verify the connection between Windows Endpoint Agent and the Log Decoder:
    1. Go to System32 folder using the following command:

      cd C:\Windows\System32

    2. Execute the following command:

      <Agent Service name>.exe /testlognet

      For example, NWEAgent.exe /testlognet

  • If the issue is with the firewall, check the incoming and outgoing firewall rules.

Hosts View Issues

                 
MessageAn error has occurred. The Endpoint Server may be offline or inaccessible.
IssueWhen attempting to access the Hosts or Files view, the view opens with the message.
Explanation

Endpoint Server or Nginx Server is not running. Check the status of the Endpoint Server under ADMIN > Service or check if the Endpoint Server host IP address is registered with the Admin Server. For more information, see the Physical Host Installation Guide or Virtual Host Installation Guide. If the service is not running, start the Endpoint Server.

 

             
Issue

The Hosts and Files views do not load in the Safari browser.

Explanation

When you open the Ember pages in the Safari browser with a non-trusted SSL certificate, the Hosts and Files views do not load. To load the views.

  1. Click the Show Certificate pop-up menu.
  2. Enable the Always trust NetWitness when connecting to <IP Address> checkbox.
  3. Click Continue.
  4. Enter your username and password.
  5. Click Update Settings.

 

                 
MessageNo process information was found.
IssueWhen attempting to access the Process or Libraries tab in the Host Details view, the detailed host information is not available, and the view opens with the message.
Explanation

Scan data is not available due to any of the following reasons:

  • First time scan is not complete.

  • Data retention policy has deleted all scan snapshots.

Files View Issues

                 
BehaviorMeta values take time to load.
IssueMeta values are not set to index by values.
Explanation

During investigation, while pivoting to the Navigate or Event Analysis view from the Files view, if the filename or hash (SHA256 and MD5) are not set to index by values, the matching results take time to load because the Concentrator must generate the index by accessing the meta database and retrieving value of the meta for each event. You have to manually index the values before pivoting.

 

             
IssueFiltering files takes a longer time to load results.
Explanation

In the Files view, while filtering files with the Contains operator, the results takes a few seconds to load on the UI. You must use at least one indexed field with the Equals operator while filtering the files.

 

             
IssueUnable to analyze events from Investigate > Hosts and Files view.
Explanation

Other than Broker or Concentrator, if any aggregation service, such as Archiver, is aggregating data from the Log Decoder that is configured for metadata forwarding from any Endpoint server, clicking Analyze Events from Hosts and Files view for this Endpoint server may not work. To resolve this issue:

Note: To get the investigate-service-id:
1) Go to ADMIN > Concentrator service.
2) Click > View > Explore tab.
3) Expand the sys/stats node list.
4) In the UUID filed, copy the value.

  1. Go to ADMIN > Endpoint Server service.
  2. Click > View > Explore tab.
  3. In the endpoint/investigate field, specify the investigate-service-id.

Policy Issue

             
IssuePolicy status in the Policy Details panel is not updated or shows Policy Unavailable/Permission Required.
Explanation

Policy Unavailable - Hosts belong to previous versions, such as NetWitness Platform 11.1 or 11.2, where a policy is not applied.

Permission Required - If you do not have permissions, see the "Role Permissions" topic in the System Security and User Management Guide.

 

             
IssuePolicy Status shows error.
Explanation

Policy may have wrong configurations. Check the error description, logs in Endpoint server, and audit logs for details. Contact your system administrator with the error details.

Driver Issue

             
IssueWhile loading the driver on the host, an error is encountered.
Explanation

Check the driver error code. Contact your system administrator with the error code.

File Reputation Service Issue

             
Issue When you configure RSA Live for the first time and the File Reputation service is not connected.
Solution

You must manually enable the File Reputation service. To enable the File Reputation service:

  1. Go to ADMIN > System > Live Services.
  2. In the Additional Live Services section, select the enable File Reputation check box.
  3. Click Apply.

Risk Scoring for Hosts or Files Issue

             
Issue NetWitness Endpoint takes a long time to process risk scoring for Hosts or Files.
Solution

Check the backlog of alerts for risk scoring.

  1. SSH to the ESA Primary appliance.

  2. Execute the following command:

    mongo respond-server --authenticationDatabase admin -u deploy_admin -p <deploy_admin_password> --eval 'db.staging.find({"$or":[{state:"STAGED"},{state :"WORKING"}]}).count()' --quiet

    The backlog count is displayed. If the backlog count is 1 million or greater, you must disable the risk scoring and Endpoint ESA alerts.

  3. To disable risk scoring:

    1. Go to ADMIN > Respond service.

    2. Click > View > Explore.
    3. Expand the respond/scheduled/jobs node list.

    4. In the risk-scoring-enabled field, set the value to false.
  4. To disable Endpoint ESA alerts:

    1. To disable NetWitness Endpoint ESA alerts generation for severity; Critical, High and Medium.

      1. Go to CONFIGURE > ESA Rules.

        The Configure view is displayed with the Rules tab open.

      2. In the Options panel, under Deployments, select the Endpoint deployment to delete.
        A confirmation dialog is displayed.

      3. Click Yes.
    2. To disable only Medium severity NetWitness Endpoint ESA alerts:
      1. Go to ADMIN > ESA Correlation service (on which Endpoint deployment is added).
      2. Click > View > Explore.
      3. Expand the correction/alert node list.
      4. In the transient-enabled field, set the value to false.

Previous Topic:Analyze Events
You are here
Table of Contents > Troubleshooting NetWitness Endpoint

Attachments

    Outcomes