000017512 - The error message 'Unable to fetch schema from the data source' is seen in the RSA Security Analytics Reporting Engine after replacing a core appliance

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Sep 30, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000017512
Applies ToRSA Product Set: Security Analytics
RSA Security Analytics 10.x
RSA Security Analytics Server 10.x
RSA Security Analytics Reporting Engine 10.x
RSA Security Analytics Decoder 10.x
RSA Security Analytics Log Decoder 10.x
RSA Security Analytics Concentrator 10.x
RSA Security Analytics Hybrid 10.x
IssueThe error message "Unable to fetch schema from the data source" is seen in the RSA Security Analytics Reporting Engine after replacing a core appliance.

After replacing an RSA Security Analytics Hybrid appliance, the following error messages are seen from within the Reporting Engine:

Unable to fetch schema from the data source
Error occured while connecting to the data source

The following error message is found in the /var/lib/netwitness/uax/logs/sa.log file:  Unable to fetch schema from the datastore

An error message similar to the following is found in the /var/lib/netwitness/uax/logs/sa.log

<date> <time> [CARLOS NextGen Heartbeat] WARN org.springframework.web.client.RestTemplate - GET request for "" resulted in 401 (Unauthorized); invoking error handler

NOTE:  In the example output above, the IP address referenced in the URL is the old IP address of the hybrid appliance.  A 401 code is a standard HTTP error code for "not found".  Therefore, the message is stating that there is no response to an HTTP GET request on the IP address on port 50106.

CauseThis error message can appear under several other circumstances, such as when a device's IP address changes, when a firewall is blocking communication, or due to other general network failures.  The nature of the error itself is typically physical and simply indicates that the Reporting Engine cannot connect to the device as it is currently referenced by the IP address and port specified in the URL.  In the example above, that would be over port 50106.  In this particular instance, the hybrid IP address was changed to when the new unit was brought online.  The broker picks up the IP address of the device exactly how it is configured.  There is no way to "change" the IP address once it's added as a Data Source, but it can be remedied quite easily by deleting and re-adding the device as a Data Source.

To remove and re-add a device as a Data Source in the Reporting Engine, follow the steps below.

  1. Log into the Security Analytics UI and navigate to Administration -> Services
  2. Select the Reporting Engine and navigate to View -> Config.
  3. Click on the Sources tab.
  4. Select the device you wish to remove and click on the Minus ( - ) sign, which will remove it from the list.
  5. To re-add the device as a Data Source, click on the Plus ( + ) sign, and click on Available Devices.
  6. Select the device you wish to add and click OK.


If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.

WorkaroundThe IP address of the hybrid appliance has recently been changed, which may or may not be due to a unit replacement.
Legacy Article IDa66156