|Applies To||RSA Product Set: NetWitness Endpoint (ECAT)|
RSA Version/Condition: 4.1.x, 4.2.x, 4.3.x, 4.4.x
|Issue||When searching for an agent, it never appears in the Machine's List of the UI, or else it disappears and when searching by agentID the ID constantly rotates over time. A machine may never appear at all in the GUI when searching for it and may be associated with connection issues, when in fact there are no actual issues connecting to the agent.|
|Cause||A gold image or VM template was created at a customer site with the ECAT agent pre-installed as part of the deployment. This gets pushed out to X number of machines, which in turn causes many agents who share the same agentID in the database. The scan4 files get merged together, causing incomplete agent data, agents that do not appear in the list of machines when searching, and the agents entries in the database that have this issue become unreliable for investigations since different machines are mixed together with their data.|
It is not currently supported to have gold images with the agent pre-installed. This issue is permanently fixed in the new 11.3 code which will automatically detect a different VM and will rotate the agent ID in response.
Identifying Duplicate Agents
NOTE: Be careful interpreting the results; for instance, a single instance of a hostname change could possibly be legitimate if hostnames are being changed in the environment. Additionally, the OldMachineName field is important, because it may contain entries of 'Unknown'. These indicate new machines that have been added and should not be included, because its expected new entries will happen over time.
ADDITIONAL: Look for the same hostname repeating often; these are certain indicators of a duplicate agentID. The ID will be the same, and the hostname will bounce back and forth. It may cycle over several hostnames, but the agentID will always be identical for these hostnames.
How to remove the duplicate AgentIDs
If you are unsure of any of the steps above or experience any issues, contact RSA Customer Support and reference this article number for further assistance.
|Notes||Be careful when interpreting the results of the script. When comparing the agentIDs, single hostname changes that don't repeat over multiple days are probably not worthy of being considered. The important results are many agents with the same ID(a dead giveaway) or repeated changes to the hostname.|
If the hostname only changes once for an agentID and not again then its likely it was a legitimate action by a system administrator to modify the hostname.