000017881 - Broker unable to export PCAP or logs after upgrade to RSA Security Analytics 10.3 SP3

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017881
Applies ToRSA Security Analytics
RSA Security Analytics 10.3.3
RSA Security Analytics Broker
RSA Security Analytics Server
IssueBroker unable to export PCAP or logs after upgrade to RSA Security Analytics 10.3 SP3.
Unable to export PCAP or logs after upgrading to Security Analytics 10.3.3.
A core dump appears in the /var/netwitness/broker directory on the broker after upgrading to SA 10.3.3.

The log file /var/netwitness/logs/sa.log displays errors similar to the follow after attempting to export a PCAP:



2014-05-09 13:43:25,178 org.springframework.scheduling.quartz.SchedulerFactoryBean#0_Worker-2 INFO org.quartz.core.JobRunShell - Job c5175320.8b3318e6-f32a-4f72-9884-9b429912d3cc threw a JobExecutionException:
org.quartz.JobExecutionException: Error retrieving logs from device [See nested exception: java.io.IOException: com.rsa.netwitness.carlos.clients.nextgen.NextGenException: org.apache.http.conn.HttpHostConnectException: Connection to
http://127.0.0.1:50103 refused]
at com.netwitness.platform.server.investigation.common.export.jobs.ExtractInvestigationLogsJob.executeJob(ExtractInvestigationLogsJob.java:65)
at com.rsa.netwitness.carlos.scheduling.jobs.AbstractJob.execute(AbstractJob.java:61)
at org.quartz.core.JobRunShell.run(JobRunShell.java:213)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:557)
Caused by: java.io.IOException: com.rsa.netwitness.carlos.clients.nextgen.NextGenException: org.apache.http.conn.HttpHostConnectException: Connection to
http://127.0.0.1:50103 refused
at com?.



While trying to export a session through REST, a "No Data Received" or "404 Not Found" error is displayed.
The /var/log/messages file displays the following error:  [ServiceConnectionNode::messageHandler] [failure] localhost:50003: End of file
Resolution

Please note the following:


This issue has been resolved and will be available in the latest version of 10.3 SP3 tentatively scheduled to release on May 21st. If you have already downloaded & installed 10.3 SP3 prior to May 21st and have encountered the issue noted above, please proceed to use the hot fix instructions posted below.


 


CentOS EL6 Instructions


Download Hot Fix EL6


On the Broker appliance:
1. Stop the NwBroker process by running "stop nwbroker"
2. Unzip the Hot Fix gz file using the command "tar -xzvf RSA_SA10.3.3_b2522_SACE-1062.el6.x64.tar.gz"
3. The result from the tar command should be an RPM file called "nwbroker-10.3.3.2522-4.el6.x86_64.rpm"
4. Backup the current /usr/sbin/NwBroker file
5. To install the new RPM, execute the following command "rpm -Fvh nwbroker-10.3.3.2522-4.el6.x86_64.rpm"
6. Restart the NwBroker process by running "start nwbroker"


 


CentOS EL5 Instructions


Download Hot Fix EL5


On the Broker appliance:
1. Stop the NwBroker process by running "stop nwbroker"
2. Unzip the Hot Fix gz file using the command "tar -xzvf RSA_SA10.3.3_b2522_SACE-1062.el5.x64.tar.gz"
3. The result from the tar command should be an RPM file called "nwbroker-10.3.3.2522-4.el5.x86_64.rpm"
4. Backup the current /usr/sbin/NwBroker file
5. To install the new RPM, execute the following command "rpm -Fvh nwbroker-10.3.3.2522-4.el5.x86_64.rpm"
6. Restart the NwBroker process by running "start nwbroker"

WorkaroundUpgrade to RSA Security Analytics 10.3.3.
Legacy Article IDa65688

Attachments

    Outcomes