This section provides troubleshooting instructions for issues faced when using the Reporting module in NetWitness Suite.
Try the following steps if you face any issues with configured Linux SFTP server:
If the Report Output Action for the configured SFTP fails, you must SSH to the SFTP server and try to connect locally to check if SFTP is working fine.
Connect to SFTP server:
- If the Local connection fails, open the file sshd_config> vi /etc/ssh/sshd_config.
Check for the entry in the file:
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
- If this entry does not exist, add the two lines mentioned in Step 3 at the bottom of the file and Save it.
- Restart service from SSH > service sshd restart.
- Retry the SFTP connection now.
- Make sure SFTP port is not blocked by SA server appliance firewall. Update iptables rules to allow sftp port
Strict parser: Strict parser (non-deprecated) expects the query syntax to be type correct.
For all text meta type use quotes for example, username = ‘user1’.
For all IP Addresses, Ethernet Addresses, and Numeric meta types do not use quotes for example, service = 80 &&
ip.src = 192.168.1.1.
For date and time meta types,
If the date and time format is 'YYYY-MM-DD HH:MM:SS‘, use quotes.
If the date and time format is 1448034064 (number of seconds since EPOCH (Jan 1, 1970)), do no use quotes.
The reporting queries will be parsed using the strict parser when the configuration value of /sdk/config/query.parse is strictin NWDB core services.
Non Strict parser:Non strict parser (deprecated) does not expect the query syntax to be type correct .i.e the values for text and numeric meta types can be quoted or unquoted regardless of the meta type.
For example, username is a string meta type, hence its values can be quoted or unquoted. So, both the syntax username = ‘user1’ and username = user are valid.
The reporting queries will be parsed using the non strict parser when the configuration value of /sdk/config/query.parse is deprecatedin NWDB core services.