This topic provides information about possible issues that Security Analytics users may encounter when setting up their workbench service in Security Analytics. Look for explanations and solutions in this topic.
Security Analytics notifies users of issues using popup notifications.
Possible Workbench Issues
Security Analytics Workbench returns the following types of error messages explained in the following table.
|Unable to connect to workbench service from Security Analytics user interface Administration page.||Security Analytics service is not running.||Verify that your Security Analytics service is running. Log in to your Security Analytics server and run the following command: |
Firewall rules should allow connections from 50007, 50607 and 50107.
Verify your connection by running the following command:
service iptables status
Verify that you are able to launch REST. Execute the following command for your appliance:
If you are able to launch REST service for your appliance, you can confirm that there is no problem with the appliance. Navigate to the Security Analytics side for further investigation as follows:
Enable debug mode and watch for sa.log errors located at:
Enable developer tools using the shortcut Ctrl+Shift+I for Chrome and verify
the preview and response for the request.
|Not able to view Appliance service configuration tab for workbench|
appliance running in SSL mode.
|Enable SSL for appliance service and restart the appliance service.|
|The following error message is displayed when trying to load meta in order to create a report on a workbench collection:|
"Unable to fetch schema from data source when trying to load meta."
|Load meta for the appliance from the Security Analytics User Interface Rule library and watch for any errors|
in Reporting Engine log located at:
Launch REST for the device and watch for any error if you run the following query
|No results are displayed after running query from Security Analytics User Interface via the Reporting Engine.||Run the query on the Reporting Engine and watch for /var/log/messages on the data source. Look for an exact query that matches the data source.|
TIP: Search for [SDK-Query] in log file.
Copy the exact query and run from REST SDK to see if you get any results.
REST Query: /sdk?msg=query&force-contenttype=text/plain&expiry=
|Workbench Available storage indicator in Workbench Collections Tab is not accurate.||Available storage indicator in the User Interface displays the default Collections directory shown below:|
|Unable to open new collections|
after opening existing collections.
|There is a workbench configuration called “Max Open Collections” that is set to 25 by default. This configuration specifies the number of collections that can be open at the same time.|
You can modify this number. A setting of zero disables the limit of maximum open collections.
|Successfully opened a collection that got to Ready state.|
But after a while, the collection
automatically changed to Closed state.
|There is a workbench configuration called “collection.timeout” that is set to 1200 seconds by default.|
This configuration specifies the number of seconds before an idle collection is automatically closed. Maximum time allowed before timeout occurs is 86,400 seconds (24 hours).
|A setting of zero disables the timeout.|
|Querying for a time range using /database manifest command returned blank output.||Blank output indicates that there are no nwdb files available for the time range.||None.|
|Created collection, but collection status is not available in Jobs, and|
collection is not displayed in workbench Collections tab.
|You might be running in a mixed mode environment (for example, creating a collection on a 10.4.x version of workbench from a 10.5 Security Analytics User Interface.||The collection is displayed in the workbench Collections tab after you reload the page.|
|Noticed blank Date Range and Date Created values for collections.||All collections display blank Date Range and blank Date Created values.||Date Range and Date Created values are displayed after upgrading to 10.5.|
|Discrepancy in behavior of adding workbench collections as a data|
source to Reporting Engine.
|This behavior depends on whether you have a trusted connection or a non-trusted connection.||If your workbench service is established with a trusted connection, you should manually add workbench collections as a|
source to Reporting Engine.
If your workbench service is not established with a trusted connection when the workbench restoration collection
was created, it automatically sends a message to the Reporting Engine to add it as a source in the Reporting Engine.
|Collection attributes (size, date range and date created) are not displayed.||Date range is not displayed for a collection if Jetty service is restarted while restoration is in process.|
Restoration collections created from an Explorer view display a blank Date Range.
Any collections created on a 10.4 Workbench will display blank Date Range and blank Date Created values after upgrading to 10.5.
In a mixed mode environment (10.5 Security Analytics server and 10.4.x workbench), size, date range, and date created are not displayed.
|Exception or blank page is displayed when drilling down on a|
|Collection closed because it exceeded the collection time out.||Investigate the collection from the beginning.|
|Empty collection is created.||Empty collection is displayed if restoration fails because Workbench service is restarted during collection creation.||None.|
|Service abruptly shuts down.||Run the service from command line and watch for any errors. For an example |
run the command from the server console /usr/sbin/NwWorkbench for
|REST request denied.||Verify user.agent.whitelist config located at /rest/config/|
If non-blank, this should be a regex expression to match valid HTTP user agents. If the regex fails to match, all REST requests will be denied (see allow.missing.user.agent for the potential exception). If blank, all requests are allowed.
|Queries with raw meta return blank values for Raw field.||Verify that you have a relevant|