Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000029290 - Reports fail to complete and returns "Invalid username or password" when running reports after changing a service password in RSA NetWitness Platform

Document created by RSA Customer Support

on Jun 15, 2016•Last modified by RSA Customer Support on Aug 27, 2019

Version 3Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000029290
Applies To	RSA Product Set: Security Analytics, NetWitness Logs & Network RSA Product/Service Type: Reporting Engine, Concentrator, Broker RSA Version/Condition: 10.x, 11.x Platform: CentOS O/S Version: EL6, EL7
Issue	After changing the admin password on any Security Analytics or NetWitness service used as a data source for the Reporting Engine (broker or concentrator), reports fail to complete and instead throw an error similar to the example below in /var/netwitness/re-server/rsa/soc/reporting-engine/logs/reporting-engine.log (NetWitness 11.x) or /home/rsasoc/rsa/soc/reporting-engine/logs/reporting-engine.log (SA 10.x). Error occurred while fetching data from source 'mybroker[10.20.30.40]'. Error details : 10.20.30.40:56003 received error: Invalid username or password. /var/log/messages on the source service show an error like below. Aug 19 23:19:01 mybroker NwBroker[1288]: [Login] [audit] Failed login attempt for user 'admin' from 10.20.30.10:45974, invalid password
Cause	The Reporting Engine validates the reporting source by requiring a username and password. This is by design and for security purposes. This username/password combination is referenced every time a report is run against a specific reporting source. If the password for the device has changed, the reporting source must be removed and re-added, as there is no way to edit the reporting device source after it has been added.
Resolution	To remove and re-add the data sources in the Reporting Engine, follow the steps below. In the NetWitness UI, navigate to ADMIN -> Services and for the Security Analytics UI, navigate to Administration -> Services. Click on the Action icon for the Reporting Engine and select View -> Config. Click on the Sources tab. Select the device that is reporting the error and click on the minus (-) sign to remove it. Click on the add (+) sign and select the device that was just removed. When prompted, enter the new username and password combination for the device. If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.

Attachments

Outcomes

0 Comments