Context Hub: Troubleshooting

Document created by RSA Information Design and Development on Sep 15, 2017Last modified by RSA Information Design and Development on Jun 20, 2019
Version 15Show Document
  • View in full screen mode
 

This topic provides information about possible issues that NetWitness Platform users may encounter when setting up their Context Hub service in NetWitness Platform.

                                   
ProblemSolutions

Prefetch for list fails if the list is created in append mode. The following error message is displayed in logs indicating that, entries in list exceeds the max allowed.

Error setting data source entries com.rsa.asoc.contexthub.exception.ContextHubException: total.entries.exceed.max

Also, Health & Wellness sets the stat - Contexthub.Datasource.Health.Data-Sources-Health to Unhealthy and displays the names of the lists for which prefetch has failed.

For example, number of entries in the list are 50001 and number of records in the CSV file are 50001 (user did not change the csv since last prefetch.). Upper limit on number of entries in list is 100,000. Now on prefetch, Context Hub will try to append 50001 entries to the list but since 50,001 + 50,001 > 100,000, prefetch fails.

You should add only those entries in the .csv file which they wish to append to the existing .csv file. If, you do not want to append any entries to the list then perform one of the options, as applicable:

  • If you created the list with headers: remove all rows from the csv except the header.
  • If you created list without headers: you should have 0 rows in csv.

The Respond service is not able to send incidents to Archer with third party signed certificates.

As a workaround, you need to run a command to add a PEM certificate to the Respond trust store

Run the following command on the Respond host:

security-cli-client --add-trusts -s respond-server -x <pem_certfilename> -u <username> -k <password>

Where:

  • <pem_certfilename> is the name of the certificate file.
  • <username> and <password> are your NetWitness Platform administrator credentials.

SSL handshake with Archer certificate fails while adding it as a data source.

Use an archer generated certificate with the Trust All Certificates option configured.

Pivot to Investigate option on the Respond page does not navigate to the correct link.

When you stop and restart the RabbitMQ server, the Pivot to Investigate option available on the respond screen is not visible. And the context panel for Pivot to Investigate reopens the same page. You need to restart the jetty service on the NetWitness Server, login to the NetWitness. Server Host and enter the service jetty restart command.

When you import a list with missing quotes such as "172.16.0.0, the list is saved without any data to display. This is because of the Apache bug (CSV-141), which does not parse CSV files with incorrect formats.

Import a list with correct quotes to avoid displaying an empty file. For example, “172.16.0.0”, “host.mycompany.com” and so on.

Increasing the limit settings for Alerts and Incidents leads to lookup error. By default, the limit settings to view number of Alerts and Incidents is set to 50. If the limit is increased, the looked-up meta for alerts and incidents may lead to lookup error. This happens due to an internal database restriction.

To limit and view Alerts and Incidents to 50.

Previous Topic:Context Hub Lists Tab
You are here
Table of Contents > Troubleshooting

Attachments

    Outcomes