Issue | Below is a list of known issues in RSA NetWitness Logs & Network and NetWitness Endpoint, including those listed in the Release Notes. Please click on the links to go directly to the articles.
General Platform
Issue ID | Issue Title | Fix version or Status | Related article | SACE-8941 SACE-9616 ASOC-39414 | Changing Hostname in NW 11.x procedures/steps not documented | RFE in progress | https://community.rsa.com/thread/194990 | SACE-11175 | MegaCli providing misleading disk size information for 8 TB disks on Series 6 Packet Hybrids (affects nwraidutil.pl and nwraidutil.py used by H&W) | 11.3.1 | Internal KB, 37404 | SACE-11213 ASOC-79350 | REST API- SAN LVS partitioning. | 11.3.1 | | SACE-11250 | /boot partition full after updating to 11.3 | 11.3.0.1 | https://community.rsa.com/docs/DOC-103219 | SACE-11592 | After RMAing concentrator cannot add Powervault with SED using 11.3 nwarrycfg utility | 11.3.1 | | | | | |
Security
Core Services
Issue ID | Issue Title | Fix version or Status | Related article | SACE-11468 | Decoder Crash due to Core Files post upgrade to NW 11.3 | 11.3.1 | | SACE-11554 | Unable to export app rules in NW 11 | 11.4 | | ASOC-75007 | Previously, if the Log Decoder was sent bad data that appeared to consist of a certain number of bytes, but the message contained fewer bytes, the Log Decoder waited indefinitely for data that never arrived. The number of bytes allowed for length-prefixed transmissions is now limited to address this issue. | 11.3.1 | | | | | |
Log Collector
Issue ID | Issue Title | Fix version or Status | Related article | SACE-11434 ASOC-78604 | Office365 plugin issue with disabled SSL | Fix in progress | | | | | |
ESA
Issue ID | Issue Title | Fix version or Status | Related article | SACE-10542 SMC-15477 | ESA falls behind when User Baseline is enabled | Awaiting content update | | SACE-11407 ASOC-77776 | ESA Alert time stamp mismatch post migration | Fix in progress | | SACE-11449 | Existing ESA Rule Builder rules that contain array fields won't deploy after upgrading to NW 11.3 | 11.3.1 | | SACE-11542 ASOC-80165 | Event type "Correlation" in the Event Analysis page cannot be retrieved | Fix in progress | | SACE-11561 | rsa-nw-esa-server was started after upgrade to 11.3 (causing issues with esa alerts) | 11.3.1 | | SACE-11668 ASOC-79640 | disabled rules Getting re-enabled after deploy and esa correlation service restart | 11.3.1 | | | | | |
Respond
Issue ID | Issue Title | Fix version or Status | Related article | SACE-10843 | Incident creation: Rule Detail page polling local Windows box's time zone info instead of User Preferences in NetWitness settings | 11.3.1 | | ASOC-75674 | When you update to 11.3, Respond's primary host property (/rsa/primary/host) was set to false by default, which had an adverse effect on some of the critical functionality. This is now set as true. | 11.3.0.1 | | ASOC-52428 | Incidents are not flagged when a user manually adds the alerts to existing incidents in RSA Security Analytics 10.6.x and NetWitness 11.x. | Will not fix | https://community.rsa.com/docs/DOC-47378 | ASOC-73743 | Deleting an alert in Respond is not updating the High-Risk User List in Threat Aware Authentication. | 11.3.1 | | ASOC-72759 | Respond statistics reset after update. This is fixed for updates from 11.3 to 11.3.x, but is still an issue for updates from 11.2.x to 11.3.x. | 11.3.1 | | ASOC-60463 | Proper message is not displayed when Event Analysis is not loading in a mixed-mode environment. | 11.3.1 | |
Investigation
Issue ID | Issue Title | Fix version or Status | Related article | SACE-11301 | Extension, doc, is added to an xls file when extracting file from a session | 11.3.1 | | SACE-11661 | Nw 11.3 - Investigation: Unexpected Query Exception of type St9bad_alloc: std::bad_alloc | 11.3.1 | | ASOC-73894 | In Print Mode, raw meta key and descriptive names are missing. | 11.3.1 | | ASOC-73826 | In the Event Analysis view, the query console does not replace the information icon with an error icon when a service is offline. | 11.3.1 | | ASOC-73660 | Context Sensitive Help for Add Event to Incident and Create Incident dialogs does not open the correct topic. | 11.3.1 | | ASOC-73224 | When retrieval of events for a query is in progress in the Event Analysis view, events that are already displayed disappear if the query takes more than 5 minutes to finish. | 11.3.1 | | ASOC-60464 | The error message displayed when a download from the user interface times out needs clarification. | 11.3.1 | |
Endpoint
Issue ID | Issue Title | Fix version or Status | Related article | SACE-11390 | Agent does not generate log meta when more than 23 EventID's are configured in the Agent config log filter. | 11.4 | | SACE-11413 ASOC-80227 | "Unsigned Reserved Name Rule" firing on signed module | Fix in progress | | ASOC-73120 ASOC-74872 | Issues with the Powershell console events in Windows 10 1809 have been fixed in 11.3.1. | 11.3.1 | |
Reporting Engine
Issue ID | Issue Title | Fix version or Status | Related article | SACE-11534 ASOC-78847 | Charts are not deleted in 11.3.0.1 | 11.4 | | | | | |
Administration
Issue ID | Issue Title | Fix version or Status | Related article | SACE-11406 ASOC-77296 | RSA NetWitness Logs and Network 11.3 Chef run fails with "nw_pki_openssl_hashed_cert" error in chef-solo.log | Under Investigation Workaround available | https://community.rsa.com/docs/DOC-105950 | | | | |
|