000029164 - Reporting rules fail with the error "408 Request Timeout" after upgrading to RSA Security Analytics 10.3 SP4

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029164
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Reporting Engine
RSA Version/Condition: 10.3.4
Platform: CentOS

The following error is seen in the Security Analytics UI when attempting to run a report:
Failed To Retrieve Distinct Values For Specific Field Across Range [range number 1] To [range number 2]: 408 Request Timeout

An error similar to the following is observed in the /var/lib/netwitness/uax/sa.log file while executing the report in the Security Analytics UI, noting that the rsaadmin job id is variable:
[org.springframework.scheduling.quartz.SchedulerFactoryBean#0_Worker-6] INFO  org.quartz.core.JobRunShell - Job rsaadmin.12345-6789-abcd123abcd threw a JobExecutionException: 
org.quartz.JobExecutionException: Error uploading file to device
 at com.rsa.smc.sa.core.job.NextGenUploadFileJob.checkForFailedUpload(NextGenUploadFileJob.java:179)
 at com.rsa.smc.sa.core.job.NextGenUploadFileJob.executeJob(NextGenUploadFileJob.java:149)
 at com.rsa.netwitness.carlos.scheduling.jobs.AbstractJob.execute(AbstractJob.java:61)
 at org.quartz.core.JobRunShell.run(JobRunShell.java:213)
 at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:557)

CauseThis issue occurs due to a timeout configuration change that occurred in RSA Security Analytics 10.3.4. Previously at 10.3.3 and below, higher fixed values were assigned to the two parameters, NWDBqueryTimeout and SchemaTimeout.  The difference in values can at times cause larger reports to fail.


A hotfix for this issue has been created for RSA Security Analytics 10.3 SP4 which resolves the issue.  Follow the steps below to download and apply the hotfix.

  1. Download the re-server- hotfix package.
  2. Transfer the file to the Security Analytics server appliance.
  3. Connect to the Security Analytics server appliance via SSH as the root user and navigate to the directory to which the file was transferred.
  4. Stop the reporting engine service with the following command:  stop rsasoc_re
  5. Update the re-server package to the new version with the following command:  rpm -Fvh re-server-
  6. Start the reporting engine service with the following command:  start rsasoc_re


If you are unable to apply the hotfix at this time, you may alternately perform these steps to mitigate the issue:

  1. Log into the Security Analytics UI with an administrative account.
  2. Navigate to Administration -> Devices.
  3. Select the Reporting Engine device and click on View -> Config.
  4. In the System Configuration section on the General tab, locate the setting for NWDB Query Timeout.
  5. Change the value to be 2592000, which equates to 30 days in seconds.  To change this, double-click on the 0, enter the new value, and hit enter.
  6. Click the Apply button.
  7. Navigate back to Administration -> Devices.
  8. Select the Reporting Engine device and click on View -> Explore.
  9. In the left pane, drill down to com.rsa.soc.re -> Configuration -> NextGenConfiguration -> nextgenConfig.
  10. In the right pane, look at the value for SchemaTimeOut.  If its value is 60, double-click the value to change it to 120 and hit enter.
NotesPerforming these changes will not impact production, nor do the changes require a service or system restart.  While a hotfix is also available, applying the higher timeout values manually mitigates the problem in the same fashion as the hotfix does, as the updated RPM also simply increases the values.