This section provides information about possible issues when using NetWitness Endpoint.
Some of the hosts or files data are not displayed when Endpoint Broker is selected for querying.
The Endpoint Broker aggregates data from all Endpoint Servers, which responds within 10 seconds. You must increase the query timeout value to see the result of Endpoint server that is online. Perform the following:
The Endpoint Agent is unable to communicate with the Endpoint Server. The connection may not be established due to any of the following issues:
The Endpoint Agent is unable to communicate with the Log Decoder. The connection may not be established due to any of the following issues:
Agent is not communicating with the Endpoint Server after migration.
Check the Nginx logs of the Endpoint Server to which the agent has migrated, and if the agent is communicating with error code 403, that means the certificate of the first Endpoint Server and second Endpoint Server are different. This is because during the installation of second Endpoint Server, the certificate of first Endpoint Server is not copied to the second Endpoint Server.
Reinstall the second Endpoint Server by copying the certificate of first Endpoint Server, and reinstall the agent. For more information, see the Physical Host Installation Guide.
Hosts View Issues
|Message||An error has occurred. The Endpoint Server may be offline or inaccessible.|
|Issue||When attempting to access the Hosts or Files view, the view opens with the message.|
Endpoint Server or Nginx Server is not running. Check the status of the Endpoint Server under Admin > Service or check if the Endpoint Server host IP address is registered with the Admin Server. For more information, see the Physical Host Installation Guide or Virtual Host Installation Guide. If the service is not running, start the Endpoint Server.
|Issue||Unable to analyze events from Investigate > Hosts and Files view.|
Other than Broker or Concentrator, if any aggregation service, such as Archiver, is aggregating data from the Log Decoder that is configured for metadata forwarding from any Endpoint server, clicking Analyze Events from Hosts and Files view for this Endpoint server may not work. To resolve this issue:
|Issue||Policy status in the Policy Details panel is not updated or shows Policy Unavailable/Permission Required.|
Policy Unavailable - Hosts belong to previous versions, such as NetWitness Platform 11.1 or 11.2, where a policy is not applied.
Permission Required - If you do not have permissions, see the "Role Permissions" topic in the System Security and User Management Guide.
|Issue||Policy Status shows error.|
Policy may have wrong configurations. Check the error description, logs in Endpoint server, and audit logs for details. Contact your system administrator with the error details.
|Issue||While loading the driver on the host, an error is encountered.|
Check the driver error code in the Agent-Driver Error Code column under Investigate > Hosts view. Contact your system administrator with the error code.
File Reputation Service Issue
|Issue||When you configure RSA Live for the first time and the File Reputation service is not connected.|
You must manually enable the File Reputation service. To enable the File Reputation service:
Risk Scoring for Hosts or Files Issue
|Issue||NetWitness Endpoint takes a long time to process risk scoring for Hosts or Files.|
Check the backlog of alerts for risk scoring.