000037719 - RSA NetWitness 11.3 Known Issues Master List

Document created by RSA Customer Support Employee on Aug 13, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037719
Applies ToRSA Product Set: NetWitness Logs & Network and NetWitness Endpoint
RSA Version/Condition: 11.3
Platform: CentOS
O/S Version: EL7
IssueBelow is a list of known issues in RSA NetWitness Logs & Network and NetWitness Endpoint, including those listed in the Release Notes.  
Please click on the links to go directly to the articles.

General Platform
Issue IDIssue TitleFix version or StatusRelated article

Changing Hostname in NW 11.x procedures/steps not documented
RFE in progresshttps://community.rsa.com/thread/194990
SACE-11175MegaCli providing misleading disk size information for 8 TB disks on Series 6 Packet Hybrids (affects nwraidutil.pl and nwraidutil.py used by H&W)11.3.1Internal KB, 37404
REST API- SAN LVS partitioning.11.3.1 
SACE-11250/boot partition full after updating to 11.311.3.0.1https://community.rsa.com/docs/DOC-103219
SACE-11592After RMAing concentrator cannot add Powervault with SED using 11.3 nwarrycfg utility11.3.1 


Issue IDIssue TitleFix version or StatusRelated article
SACE-11287Security Vulnerabilities on Host OS11.4 
ASOC-75957Python Security Update https://access.redhat.com/errata/RHSA-2019:0710.11.3.1 

Core Services

Issue IDIssue TitleFix version or StatusRelated article
SACE-11468Decoder Crash due to Core Files post upgrade to NW 11.311.3.1 
SACE-11554Unable to export app rules in NW 1111.4 
ASOC-75007Previously, if the Log Decoder was sent bad data that appeared to consist of a certain number of bytes, but the message contained fewer bytes, the Log Decoder waited indefinitely for data that never arrived. The number of bytes allowed for length-prefixed transmissions is now limited to address this issue.11.3.1 

Log Collector

Issue IDIssue TitleFix version or StatusRelated article
Office365 plugin issue with disabled SSLFix in progress 


Issue IDIssue TitleFix version or StatusRelated article
ESA falls behind when User Baseline is enabledAwaiting content  update 
ESA Alert time stamp mismatch post migrationFix in progress 
SACE-11449Existing ESA Rule Builder rules that contain array fields won't deploy after upgrading to NW 11.311.3.1 
Event type "Correlation" in the Event Analysis page cannot be retrievedFix in progress 
SACE-11561rsa-nw-esa-server was started after upgrade to 11.3 (causing issues with esa alerts)11.3.1 
disabled rules Getting re-enabled after deploy and esa correlation service restart11.3.1 


Issue IDIssue TitleFix version or StatusRelated article
SACE-10843Incident creation:  Rule Detail page polling local Windows box's time zone info instead of User Preferences in NetWitness settings11.3.1 
ASOC-75674When you update to 11.3, Respond's primary host property (/rsa/primary/host) was set to false by default, which had an adverse effect on some of the critical functionality. This is now set as true.
Incidents are not flagged when a user manually adds the alerts to existing incidents in RSA Security Analytics 10.6.x and NetWitness 11.x.Will not fixhttps://community.rsa.com/docs/DOC-47378
ASOC-73743Deleting an alert in Respond is not updating the High-Risk User List in Threat Aware Authentication.11.3.1 
ASOC-72759Respond statistics reset after update. This is fixed for updates from 11.3 to 11.3.x, but is still an issue for updates from 11.2.x to 11.3.x.11.3.1 
ASOC-60463Proper message is not displayed when Event Analysis is not loading in a mixed-mode environment.11.3.1 


Issue IDIssue TitleFix version or StatusRelated article
SACE-11301Extension, doc, is added to an xls file when extracting file from a session11.3.1
SACE-11661Nw 11.3 - Investigation: Unexpected Query Exception of type St9bad_alloc: std::bad_alloc11.3.1 
ASOC-73894In Print Mode, raw meta key and descriptive names are missing.11.3.1 
ASOC-73826In the Event Analysis view, the query console does not replace the information icon with an error icon when a service is offline.11.3.1 
ASOC-73660Context Sensitive Help for Add Event to Incident and Create Incident dialogs does not open the correct topic.11.3.1 
ASOC-73224When retrieval of events for a query is in progress in the Event Analysis view, events that are already displayed disappear if the query takes more than 5 minutes to finish.11.3.1 
ASOC-60464The error message displayed when a download from the user interface times out needs clarification.11.3.1 


Issue IDIssue TitleFix version or StatusRelated article
SACE-11390Agent does not generate log meta when more than 23 EventID's are configured in the Agent config log filter.11.4 
"Unsigned Reserved Name Rule" firing on signed moduleFix in progress 
Issues with the Powershell console events in Windows 10 1809 have been fixed in 

Reporting Engine

Issue IDIssue TitleFix version or StatusRelated article
Charts are not deleted in 


Issue IDIssue TitleFix version or StatusRelated article
RSA NetWitness Logs and Network 11.3 Chef run fails with "nw_pki_openssl_hashed_cert" error in chef-solo.logUnder Investigation
   Workaround available