000017414 - After upgrading to RSA Security Analytics 10.3 or above  users are unable to connect to the IPDB Extractor

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017414
Applies ToRSA Security Analytics
RSA Security Analytics 10.3 and above
RSA Security Analytics IPDB Extractor
IssueUnable to Connect to IPDBExtractor After Upgrading to SA 10.3 (or above)
After upgrading to RSA Security Analytics 10.3 or above, users are unable to connect to the IPDB Extractor.
Test Connection in the Devices view of the Security Analytics UI fails.
The nwipdbextractor service is started/running but is not listening on the 50125/TCP port.

The /var/log/message file reports errors similar to the following:

Apr 29 15:13:42 NWAPPLIANCE14833 nw[24527]: [ipdbextractorinit] [failure] Failed to read dir file from location /var/netwitness/ipdbextractor/devicelocation/global/local/directory/
Apr 29 15:13:42 NWAPPLIANCE14833 nw[24527]: [ipdbextractorinit] [failure] Ensure that the .dir file exists in the path as mentioned in the config "Mount point of the .dir file". Extractor will retry reading the .dir file after 1 minute.


There is a slight change of behavior in 10.3 as prior versions did not require the .dir file to exist before listening on 50125/TCP.  Starting with SA 10.3, at startup, the IPDBExtractor service looks for the device location file which contains all the configuration details of the IPDB, such as the ESIPDB.dir file.

Also, if only /var/netwitness/ipdbextractor/devicelocation is present, the user must create the subdirectories to that path /var/netwitness/ipdbextractor/devicelocation/global/local/directory and put the .dir file in that location.

Every minute, the IPDB Extractor service looks for this file. Until the user supplies this file, the service will not start listening on 50125/TCP.  In summary, the IPDBExtractor service requires both .dir file and that IPDB be mounted using CIFS before it will start cleanly.

Legacy Article IDa65310