Reporting: Troubleshooting

Document created by RSA Information Design and Development on Nov 23, 2016Last modified by RSA Information Design and Development on Feb 10, 2017
Version 5Show Document
  • View in full screen mode
  

This topic provides troubleshooting instructions for issues faced when using the Reporting module in Security Analytics.

Troubleshooting Issues Before Configuring SFTP Server.

This section provides troubleshooting instructions for issues faced before configuring SFTP server.

Procedure

Try the following steps if you face any issues with configured Linux SFTP server:

  1. If the Report Output Action for the configured SFTP fails, you must SSH to the SFTP server and try to connect locally to check if SFTP is working fine.

    Connect to SFTP server:

    SFTP_server.png

  2. If the Local connection fails, open the file sshd_config> vi /etc/ssh/sshd_config.
  3. Check for the entry in the file:

    # override default of no subsystems
    Subsystem sftp /usr/libexec/openssh/sftp-server

  4. If this entry does not exist, add the two lines mentioned in Step 3 at the bottom of the file and Save it.
  5. Restart service from SSH > service sshd restart.
  6. Retry the SFTP connection now.
  7. Make sure SFTP port is not blocked by SA server appliance firewall. Update iptables rules to allow sftp port

Definitions:

Strict parser: Strict parser (non-deprecated) expects the query syntax to be type correct.
For all text meta type use quotes for example, username = ‘user1’.
For all IP Addresses, Ethernet Addresses, and Numeric meta types do not use quotes for example, service = 80 &&
ip.src = 192.168.1.1.
For date and time meta types,
If the date and time format is 'YYYY-MM-DD HH:MM:SS‘, use quotes.
If the date and time format is 1448034064 (number of seconds since EPOCH (Jan 1, 1970)), do no use quotes.
The reporting queries will be parsed using the strict parser when the configuration value of /sdk/config/query.parse is strictin NWDB core services. 

Non Strict parser:Non strict parser (deprecated) does not expect the query syntax to be type correct .i.e the values for text and numeric meta types can be quoted or unquoted regardless of the meta type.

For example, username is a string meta type, hence its values can be quoted or unquoted. So, both the syntax username = ‘user1’ and username = user are valid. 

The reporting queries will be parsed using the non strict parser when the configuration value of /sdk/config/query.parse is deprecatedin NWDB core services.

Note: The troubleshooting procedure for strict parser mode is applicable for Reporting Engine 10.6 and later.

Troubleshooting NWDB Rule Syntax On Fresh Installation

On fresh installation of  Security Analytics 10.6, NWDB core services use strict parser (non-deprecated mode) by default for reporting queries. Hence, RSA recommends that you create rules that adhere to strict parser (non-deprecated mode) syntax. For more information on NWDB query syntax, see NWDB Rule Syntax.

Troubleshooting NWDB Rule Syntax On Upgrade

In case of upgrade from Security Analytics 10.4.x or 10.5.x to Security Analytics 10.6.x, the NWDB core services continue to use non strict parser (deprecated mode) for reporting engine queries. Hence, the existing queries continue to execute successfully even if they do not adhere to strict parser syntax and give results similar to previous versions. RSA recommends that you create rules that adhere to strict parser syntax.

The use of strict (non-deprecated mode) or non strict (deprecated mode) parser by NWDB core services for reporting queries is controlled by /sdk/config/query.parse (Administration > Services > Select a service (NWDB core service) and in the Actions menu, select View > Explore).

If you plan to add a new NWDB core appliance on which Reporting Engine query is executed, to an existing infrastructure running in non strict (deprecated mode), you can update the config /sdk/config/query.parse (Administration > Services > Select a service (NWDB core service) and in the Actions menu, select View > Explore) to non strict mode (deprecated mode) for the new appliance, until the whole instance of Security Analytics and associated services has moved to strict mode.

Troubleshooting Import Rules

This section provide troubleshooting instructions for issues faced while importing rules, report, chart, and alerts which are exported from 10.4.x or 10.5.x and imported in 10.6.

Procedure

  1. Log in to Security Analytics.
  2. Navigate to Reports> Manage > Rules
  3. Click Rule Operations> Import 
    The Import Rule window is displayed.

When Reporting Engine 10.4.x or 10.5.x rules are imported to Reporting Engine 10.6.x or when live rules are deployed, the rules may contain syntax errors. The execution of such rules fail with an error message, for example, "Error occured while fetching data from source "Concentrator - Concentrator [10.0.0.0]'. Error details: rule syntax error: expecting <IPv4 address> here: "'172.15.0.0'|| eth.src=00:13:C3:3B:BE:00)".
You have to correct the rule syntax based on the error message displayed or switch the core device to work in non strict mode (deprecated mode).
For example, 
For all text meta type use quotes for example, username = ‘user1’.

Next Topic:Rule Overview
You are here
Table of Contents > Reporting Overview > Troubleshooting

Attachments

    Outcomes