000016829 - RSA NetWitness Informer queries are placed in a 'queued' state indefinitely

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000016829
Applies ToRSA NetWitness NextGen
RSA NetWitness Informer
RSA NetWitness Informer 2.0.5.2
RSA NetWitness Informer 2.0.5.4
RSA NetWitness Informer 2.0.5.5
RSA NetWitness Informer 2.0.5.6
Issue

RSA NetWitness Informer queries are placed in a 'queued' state indefinitely.


Informer queries are being placed in a 'queued' state indefinitely.  Informer is successfully connected to its upstream Concentrator/Broker, and the Informer SQL DB appears to be properly initialized.
Cause

This condition is indicative of a clock change on the Informer appliance, which is not dealt with in a graceful manner.  Informer uses a registry key to track the date and time of its last run jobs in order to prevent jiggering of the date to get around temporary license expiration.  This registry key can also negatively impact Informer appliances with perpetual licenses if the appliance's clock has been set back after licensing and running Informer.

The key is located at (32-bit OS'es): HKLM\Software\NetWitness\Agent
(64-bit OS'es): HKLM\Software\Wow6432Node\NetWitness\Agent 

A SQL query reveals that Informer queries are being queued with a start/end date of 2008: select * from adhoc_queue 

ResolutionUse this procedure to resolve the issue:  First, download the Informer Toolkit first and extract it to the Informer server's Desktop.

1.
Stop the Informer service from the desktop using the shortcut (run as Administrator)
2. Start->Run->regedit
3. Navigate to HKLM\Software\Wow6432Node\NetWitness\Agent in the left-hand pane for 64-bit OS'es, or HKLM\Software\NetWitness\Agent for 32-bit OS'es.
4. Right click on the 'Agent' key (folder) and click 'delete'. This should delete 'Agent' and everything below it.
5. Clear the Informer DB by running Desktop\Informer Toolkit\DBclear.cmd
6. Reinitialize the Informer DB by running Desktop\Informer Toolkit\DBinit.cmd
7.  With the Informer service still stopped, login to your Informer web UI and re-set your connection source under Admin->System Settings->Engine Settings.  The connection string will have been reset to 127.0.0.1 by step 5.
8. Start the Informer service from the Desktop using the shortcut. Check that the Informer Connection Status is 'Connected' to your Concentrator or Broker.
9. Attempt to run rule 'Test' by logging into the Informer web UI, clicking on Define-Rules, navigate to Test rule, and click 'Test Rule' in the top-right hand pane.
10. Click 'Run Test Rule' in the window that pops up, and the query should now run.
Legacy Article IDa58800

Attachments

    Outcomes