000038094 - Endpoint Server goes offline in Investigation that is seen in the Investigate Hosts tab in RSA NetWitness Platform

Document created by RSA Customer Support Employee on Dec 19, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038094
Applies ToRSA Product Set: NetWitness Platform
RSA Product/Service Type: Endpoint Insights
RSA Version/Condition: 11.3.x
Platform: Linux

IssueThe Endpoint Server shows the status as yellow in health and wellness for the endpoint service only, and in the UI when navigating to the Investigate>Hosts page it shows the Endpoint Server as offline.

User-added image
CauseThe cause of this issue is the config server. The mongodb field gets cleared (possibly during a reboot of endpoint) and upon orchestration, it updates the mongodb to connect to from the endpoint servers own mongodb to the ESA IP address instead of endpoints. This causes the connection to the ESA mongodb to be rejected and shows the endpoint server offline in some investigate pages.

ResolutionThe resolution is to perform the following steps:

On Admin Server:
1. security-cli-client --set-config-prop --prop-name rsa.data.application.servers[0] --prop-value <EP-IP> --prop-identity <prop-id> -b <AdminServer-IP>

On Endpoint-Server:
2. systemctl restart rsa-nw-endpoint-server.service

On the UI:
3. Reload -> Investigate/Hosts page.