000017512 - The error message 'Unable to fetch schema from the data source' is seen in the RSA Security Analytics Reporting Engine after replacing a core appliance

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017512
Applies ToRSA Security Analytics
RSA Security Analytics Server
RSA Security Analytics Reporting Engine
RSA Security Analytics Decoder
RSA Security Analytics Log Decoder
RSA Security Analytics Concentrator
RSA Security Analytics Hybrid
IssueThe error message "Unable to fetch schema from the data source" is seen in the RSA Security Analytics Reporting Engine after replacing a core appliance.

After replacing an RSA Security Analytics Hybrid appliance, the following error messages are seen from within the Reporting Engine:



Unable to fetch schema from the data source
Error occured while connecting to the data source



The following error message is found in the /var/lib/netwitness/uax/logs/sa.log file:  Unable to fetch schema from the datastore

An error message similar to the following is found in the /var/lib/netwitness/uax/logs/sa.log



<date> <time> [CARLOS NextGen Heartbeat] WARN org.springframework.web.client.RestTemplate - GET request for "https://192.168.131.196:50106/sys/stats/current.time" resulted in 401 (Unauthorized); invoking error handler



NOTE:  In the example output above, the IP address referenced in the URL is the old IP address of the hybrid appliance.  A 401 code is a standard HTTP error code for "not found".  Therefore, the message is stating that there is no response to an HTTP GET request on the IP address 192.168.13.196 on port 50106.

CauseThis error message can appear under several other circumstances, such as when a device's IP address changes, when a firewall is blocking communication, or due to other general network failures.  The nature of the error itself is typically physical and simply indicates that the Reporting Engine cannot connect to the device as it is currently referenced by the IP address and port specified in the URL.  In the example above, that would be 192.168.131.196 over port 50106.  In this particular instance, the hybrid IP address was changed to 192.168.131.199 when the new unit was brought online.  The broker picks up the IP address of the device exactly how it is configured.  There is no way to "change" the IP address once its added as a Data Source, but it can be remedied quite easily by deleting and re-adding the device as a Data Source.
Resolution

To remove and re-add a device as a Data Source in the Reporting Engine, follow the steps below.


  1. Log into the Security Analytics UI and navigate to Administration -> Devices.
  2. Select the Reporting Engine and navigate to View -> Config.
  3. Click on the Sources tab.
  4. Select the device you wish to remove and click on the Minus ( - ) sign, which will remove it from the list.
  5. To re-add the device as a Data Source, click on the Plus ( + ) sign, and click on Available Devices.
  6. Select the device you wish to add and click OK.

 


If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.

WorkaroundThe IP address of the hybrid appliance has recently been changed, which may or may not be due to a unit replacement.
Legacy Article IDa66156

Attachments

    Outcomes