000032877 - Tracker Process failed on Network components in RSA Data Loss Preventation 9.6 SP2

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000032877
Applies ToRSA Product Set: DLP
RSA Product/Service Type: Enterprise Manager
RSA Version/Condition: 9.6 SP2
Platform: Linux
IssueTracker process failed on all the network devices.
Customer gets the below notification 
Hostname: interceptor1.ribeye.com
Component: NW icapserver
Type: NW_007
Timestamp: Apr 08 10:14:50
Description: Process failed: tracker1.

From any of the affected network device, check:
messages.log located under /opt/rsa/sensor/log 

04-08 10:34:52 ERROR NW_903   interceptor1.ribeye.com Interceptor      SMTPReader error: Unable to exchange rpc data with tracker
04-08 10:34:53 ALERT NW_007   interceptor1.ribeye.com Monitor          Process failed: tracker1.
04-08 10:34:53 INFO  NW_902   interceptor1.ribeye.com Monitor          tracker1 (pid 20114) completed with exit status 99
04-08 10:34:54 ALERT NW_007   interceptor1.ribeye.com Monitor          Process failed: tracker0.

ResolutionThe tracker service fails due to the misconfiguraton on one of the recently created regular expressions, so this needs to be corrected.
  • To identify the  misconfigured Regex, check the messages.log located under /opt/rsa/sensor/log 
  • The log points to the incorrect regex as following (e.g: missing/extra parentheses,,)
04-08 10:34:52 ERROR NW_903 interceptor1.ribeye.com Tracker1 
Unable to process document complete: [rsa.dlp.ca.analyzer] Invalid regex: U_REGEX_MISMATCHED_PAREN

  • From the Enterprise manager, correct the Regular expression as following:
  • With the Policy tab active, click the Content Blades menu near the top of the page and select Regular Expression Manager from the drop-down list.
  • To edit the expression, click Edit. The New / Edit Regular Expression page appears