000017534 - Investigations are returning inconsistent results in RSA Security Analytics 10.3 SP2 and SP3

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017534
Applies ToRSA Security Analytics
RSA Security Analytics 10.3.2
RSA Security Analytics 10.3.3
RSA Security Analytics Concentrator
IssueInvestigations are returning inconsistent results in RSA Security Analytics 10.3 SP2 and SP3.
Drilling into sessions displays a different number of sessions than were initially displayed.
Event Reconstruction may fail when attempting to view details from a specific session.
Resolution

A hotfix is available at Security Analytics 10.3.3 that can be applied to all concentrator appliances that will resolve the issue.  To download and install the hotfix, follow the steps below.


  1. Download the appropriate nwconcentrator-10.3.4.2567-4 hotfix below.
         CentOS 6:  nwconcentrator-10.3.4.2567-4.el6.x86_64.rpm
         CentOS 5:  nwconcentrator-10.3.4.2567-4.el5.x86_64.rpm
     
  2. Use WinSCP or your preferred FTP client to transfer the hotfix to the concentrator appliance, placing it in the root user's home directory.
     
  3. Stop the nwconcentrator service on the concentrator appliance.
         CentOS 6:  stop nwconcentrator
         CentOS 5:  monit stop nwconcentrator
     
  4. Back up the current /usr/sbin/NwConcentrator file with the following command:  cp /usr/sbin/NwConcentrator /root/NwConcentrator.bak
     
  5. Install the hotfix on the concentrator appliance.
         CentOS 6:  rpm -Fvh /root/nwconcentrator-10.3.4.2567-4.el6.x86_64.rpm
         CentOS 5:  rpm -Fvh /root/nwconcentrator-10.3.4.2567-4.el5.x86_64.rpm

     
  6. Start the nwconcentrator service on the appliance.
         CentOS 6:  start nwconcentrator
         CentOS 5:  monit start nwconcentrator

     

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.

NotesCAUTION!  The hotfix may only be applied to concentrators that have already been upgraded to Security Analytics 10.3 SP3 and should not be applied to concentrators at version 10.3 SP2.
Legacy Article IDa66781

Attachments

    Outcomes