000032611 - RSA Security Analytics - Unable to start Warehouse Connector Stream due to data source connectivity issue

Document created by RSA Customer Support Employee on Jul 5, 2016Last modified by RSA Customer Support on May 7, 2019
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000032611
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: NetWitness Core Appliance, Warehouse Connector
RSA Version/Condition: 10.x
Platform: CentOS
O/S Version: 6
 
IssueIn some circumstances, the Warehouse Connector Stream will not start, and status shows as stopped as in the below screenshot:

User-added image

Starting the stream manually results in the below error in the NetWitness GUI:
 
Failed to execute: start: Failed to process message start for /warehouseconnector/streams/Saw com.rsa.netwitness.carlos.transport.TransportException: Subscription Failed : Connection Failure Invalid username or password, Check the warehouseconnector service logs for detailed information.

The /var/log/messages file has the below error:

Error: Connection Failure Invalid username or password, Fix the problem in the source and restart the stream.
CauseThis issue occurs due to connectivity issues with data sources after a change of either the lockbox password, or login credentials to the service.
ResolutionThere are two methods of resolution available to fix this issue.

Method 1:
  1. Login to NetWitness GUI as administrator.
  2. Navigate to Administrator > Services, and select the Warehouse Connector service > View > Config, Streams tab.
  3. Select the Stream which has stopped working and remove it.
  4. Switch to the Data Sources tab and re-add again.
  5. Re-add the stream again.  For Session ID enter the last session ID to start the stream from where it left off. Whereas leaving the Session ID blank starts the stream from the current session.
    User-added image
     
  6. Finalize the details of the stream by pressing the Finalize button, and click on the start button to begin the stream.
     
Note: There is a trick to find the last session id for the stream.  In the below sample output the highlighted value is the last session id for the stream.

Run the following command against the old NwWarehouseconnector.cfg file.

cat /etc/netwitness/ng/NwWarehouseconnector.cfg|grep session

<config getRoles="users.manage" instance="config" maxLength="255" name="session.threshold" prettyName="Session Threshold" setRoles="users.manage" value="0"/> 
<config getRoles="warehouseconnector.manage" instance="config" maxLength="255" name="lastsessionid.present" prettyName="Last SessionID present" setRoles="" value="39687210696"/>


Method 2: This process helps to start Warehouse Connector stream when the GUI is not accessible or Stream is not getting removed from GUI.

  1. Login using ssh to the appliance that is running the Warehouse Connector service and stop the service.
    stop nwwarehouseconnector

  2. Create a temporary directory.
    mkdir /root/old_warehouseconnector

  3. Move all the old NwWarehouseconnector.cfg configuration files into the temporary directory.
    mv /etc/netwitness/ng/NwWarehouseconnector* /root/old_warehouseconnector

  4. Start Warehouse Connector service which creates a new NwWarehouseconnector.cfg configuration file under the /etc/netwitness/ng/ directory.
    start nwwarehouseconnector

  5. Configure the Warehouse Connector service in GUI, all settings including set the Lockbox password, Sources and Destinations, and Streams.

Attachments

    Outcomes