000035447 - After upgrading to RSA Security Analytics 10.6.4.0 the Broker appears to only see data from one set of Concentrators/Decoders

Document created by RSA Customer Support Employee on Aug 18, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035447
Applies ToRSA Product Set: Security Analytics, NetWitness Logs & Packets
RSA Product/Service Type: Broker, User Interface, Malware Analysis
Platform: CentOS
O/S Version: EL6
IssueAfter upgrading to RSA Security Analytics 10.6.4.0 the following may be seen:
  • All Concentrators except one are missing or are offline in the Broker's configuration page.
  • All Concentrators are visible on the configuration page they may show consuming with a 0 rate.
  • When performing Investigations, running reports or alerts against the Broker data appears to be missing. However when ran against the individual Concentrators all the data is present.
  • Malware Analysis results have dropped significantly due to the Broker not being able to get full results from the connected Concentrators.
CauseThe cause of this issue is a fault found within the nwbroker service.
The nwbroker service can be found on the following appliances:
  • Security Analytics servers
  • Independent Broker servers
  • Malware Analysis servers
ResolutionTo Determine if Patch is Required
To determine if the Broker patch is required for your environment follow these steps:
1. SSH into any appliance that is running the Broker service (UI, independent Broker, or Malware)
ssh root@<ip address>

2. Check the RPM system to determine if the bugged nwbroker package is currently installed.
rpm -qa | grep -i nwbroker

3. If the output matches nwbroker-10.6.4.0-7147.5.dbf44c6.el6.x86_64.rpm, follow the below instructions to apply the patch.
nwbroker-10.6.4.0-7147.5.dbf44c6.el6.x86_64

4. If the version returned is newer than the version mentioned above, no patch is required.
To Apply The Patch
To fix this issue will require downloading a hot fix version of the nwbroker package.
Note: This package is required if you upgraded to 10.6.4.0 before August 17th 2017.
This package can be found on RSA Link on the RSA Security Analytics 10.6.4.0 Downloads page.
Follow these steps to apply the new Broker rpm package.
1. Download the package from the RSA Security Analytics 10.6.4.0 Downloads page on RSA Link.
2. Upload the RPM via secure copy protocol to all appliances that contain a Broker service (UI server, standard Broker server, & Malware Analysis server).
Example Syntax:
scp nwbroker-10.6.4.1-7152.4.5f4d879.el6.x86_64.rpm <UI server ip>:/root

3. Stop the nwbroker service on the server. Wait to see the stop/waiting message before continuing.
stop nwbroker

4. Backup the current NwBroker startup file to a safe location. In this example it is being backed up to the /root folder.
cp /usr/sbin/NwBroker /root/NwBroker.backsup

5. Install the new nwbroker RPM package on the server. Make sure you are in the location where you have the new nwbroker RPM saved on the server.
rpm -Fvh nwbroker-10.6.4.1-7152.4.5f4d879.el6.x86_64.rpm

6. Start the nwbroker service and confirm functional status within the UI.
start nwbroker

7. If there are any errors or issues, please contact RSA Customer Support for further assistance.

Attachments

    Outcomes