000037959 - RSA NetWitness Endpoint Log Hybrid Server shows License Expired with zero agent license

Document created by RSA Customer Support Employee on Oct 11, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037959
Applies ToRSA Product Set: NetWitness Platform
RSA Product/Service Type: Endpoint Insights
RSA Version/Condition:,
Platform: Linux
IssueExpired license alerting messages from advanced agent license shows an alert indicating that a usage spike has triggered the license alarm for the endpoint agents, although the desired use of the agents is for log collection only, or for just the insights agent, with a zero license being the default license in place:

User-added image
CauseThis is caused because of the Netwitness Endpoint default policy, which automatically sets all agents as advanced in 11.3.x and later, as opposed to the insights agent. Since this is controlled by policy instead of the packager, the policy must be changed to reflect the desire to use an insights agent instead of an advanced agent to avoid the licensing exceeded message.
ResolutionNavigate to Admin>Endpoint Sources> Policies and under this tab, you have access to the groups and policies that comprise the endpoint agents. Assuming no additional policies exist, modify the Default EDR Policy and under Agent Mode, select the Insights checkbox and then save the edited policy:

User-added image

NOTE: If there are no advanced licenses available, every policy that is classed as a Source Type of Agent Endpoint should be set to Insights. If a mix of Advanced and Insights is used to prevent license consumption, this will need to be carefully planned and managed to determine the right mix of agents.