|Applies To||RSA NetWitness NextGen|
RSA NetWitness Informer
RSA NetWitness Informer 188.8.131.52
RSA NetWitness Informer 184.108.40.206
RSA NetWitness Informer 220.127.116.11
RSA NetWitness Informer 18.104.22.168
RSA NetWitness Informer queries are placed in a 'queued' state indefinitely.
Informer queries are being placed in a 'queued' state indefinitely. Informer is successfully connected to its upstream Concentrator/Broker, and the Informer SQL DB appears to be properly initialized.
This condition is indicative of a clock change on the Informer appliance, which is not dealt with in a graceful manner. Informer uses a registry key to track the date and time of its last run jobs in order to prevent jiggering of the date to get around temporary license expiration. This registry key can also negatively impact Informer appliances with perpetual licenses if the appliance's clock has been set back after licensing and running Informer.
A SQL query reveals that Informer queries are being queued with a start/end date of 2008: select * from adhoc_queue
|Resolution||Use this procedure to resolve the issue: First, download the Informer Toolkit first and extract it to the Informer server's Desktop.|
1. Stop the Informer service from the desktop using the shortcut (run as Administrator)
3. Navigate to HKLM\Software\Wow6432Node\NetWitness\Agent in the left-hand pane for 64-bit OS'es, or HKLM\Software\NetWitness\Agent for 32-bit OS'es.
4. Right click on the 'Agent' key (folder) and click 'delete'. This should delete 'Agent' and everything below it.
5. Clear the Informer DB by running Desktop\Informer Toolkit\DBclear.cmd
6. Reinitialize the Informer DB by running Desktop\Informer Toolkit\DBinit.cmd
7. With the Informer service still stopped, login to your Informer web UI and re-set your connection source under Admin->System Settings->Engine Settings. The connection string will have been reset to 127.0.0.1 by step 5.
8. Start the Informer service from the Desktop using the shortcut. Check that the Informer Connection Status is 'Connected' to your Concentrator or Broker.
9. Attempt to run rule 'Test' by logging into the Informer web UI, clicking on Define-Rules, navigate to Test rule, and click 'Test Rule' in the top-right hand pane.
10. Click 'Run Test Rule' in the window that pops up, and the query should now run.
|Legacy Article ID||a58800|