000039436 - Different result between "Go to event in Event Reconstruction" and query in RSA NetWitness Platform Investigate

Document created by RSA Customer Support Employee on Nov 6, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000039436
Applies ToRSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Core Appliance
RSA Version/Condition:
Platform: CentOS
O/S Version: 7
IssueIn rare cases, you may see a different result between "Go to event in Event Reconstruction" and querying specific sessionid in Investigate.

Here are the details:
  1. From Investigate > "Go to event in Event Reconstruction", searching for eventID "234994693505", you are able to see the result as shown below.
    User-added image
  2. From Investigate > "Go to event in Event Analysis", searching for eventID "234994693505", but it displays an error message as shown below.
    User-added image
  3. When using query "sessionid=234994693505", it displays "No data to display" as shown below.
    User-added image
  4. From Broker-explore-sdk deviceId, it displays "No device mapping exists".
    User-added image
  5. When exporting pcap this session, its actual size is 0byte.
    User-added image
In summary, this problematic session only can be retrieved via "Go to event in Event Reconstruction". 
CauseSometimes the Broker can complain about the ranges out of sync with the Index/MapDB. 
When the ranges are out of sync, you may face this problem on the investigation/events page. 
When ranges are out of sync, you are not able to query properly in the broker.
WorkaroundYou can try the following procedures to fix this issue.
  1. Go to the Explore page of "Broker".
  2. Right Click "Broker" node and select "Repair" from the dropdown. 
  3. Click Send. This would take a few seconds to a few minutes. 
  4. Check if the issue persists on the Broker. 
    This step would not cause any data loss. This would eventually correct the mapping in the broker. Restarting Service is not required.

But if the procedures above do not work, you need to perform the following procedures.
  1. SSH to the Broker Appliance. 
  2. Turn off the Broker Service (service nwbroker stop). Before proceeding further, check the status of the service (service nwbroker status). The status should not be deactivating / running / active.
  3. Go to the Folder: "/var/netwitness/broker/index" 
    • Map DB files would be present.
  4. Backup the Files in this folder to any backup location.
    • Make Directory "mkdir /root/broker-mapdb/" 
    • Go to the folder "/var/netwitness/broker/index" 
    • Move all the files "mv * /root/broker-mapdb/ -vv"
    • Check if all the files are moved to the backup location.
  5. Start the Broker Service. 
  6. Post starting the service, remove, and re-add the devices in the Broker Configurations.
    *Note: Back up process is very important. If there is any issue in regeneration, only recovery process is to restore the backed up files.
Once done, you are now able to query via "Go to event in Event Reconstruction" with problematic sessionid which means it syncs with the Index/MapDB in the broker.