Reporting: Troubleshooting

Document created by RSA Information Design and Development on Sep 14, 2017Last modified by RSA Information Design and Development on Oct 15, 2017
Version 9Show Document
  • View in full screen mode

This section provides troubleshooting instructions for issues faced when using the Reporting module in NetWitness Suite.

Troubleshooting Issues Before Configuring SFTP Server


Try the following steps if you face any issues with configured Linux SFTP server:

  1. If the Report Output Action for the configured SFTP fails, you must SSH to the SFTP server and try to connect locally to check if SFTP is working fine.

    Connect to SFTP server:

    Connect to SFTP server

  2. If the Local connection fails, open the file sshd_config> vi /etc/ssh/sshd_config.
  3. Check for the entry in the file:

    # override default of no subsystems
    Subsystem sftp /usr/libexec/openssh/sftp-server

  4. If this entry does not exist, add the two lines mentioned in Step 3 at the bottom of the file and Save it.
  5. Restart service from SSH > service sshd restart.
  6. Retry the SFTP connection now.
  7. Make sure SFTP port is not blocked by SA server appliance firewall. Update iptables rules to allow sftp port


Strict parser: Strict parser (non-deprecated) expects the query syntax to be type correct.
For all text meta type use quotes for example, username = ‘user1’.
For all IP Addresses, Ethernet Addresses, and Numeric meta types do not use quotes for example, service = 80 &&
ip.src =
For date and time meta types,
If the date and time format is 'YYYY-MM-DD HH:MM:SS‘, use quotes.
If the date and time format is 1448034064 (number of seconds since EPOCH (Jan 1, 1970)), do no use quotes.
The reporting queries will be parsed using the strict parser when the configuration value of /sdk/config/query.parse is strictin NWDB core services. 

Non Strict parser:Non strict parser (deprecated) does not expect the query syntax to be type correct .i.e the values for text and numeric meta types can be quoted or unquoted regardless of the meta type.

For example, username is a string meta type, hence its values can be quoted or unquoted. So, both the syntax username = ‘user1’ and username = user are valid. 

The reporting queries will be parsed using the non strict parser when the configuration value of /sdk/config/query.parse is deprecatedin NWDB core services.

Note: The NWDB rule where clause is appropriately quoted if the syntax has an invalid quote. For example, in case of an invalid meta, or missing separator, the status and the errormessage is updated appropriately.

Next Topic:Appendix
You are here
Table of Contents > Troubleshooting