This section provides information about possible issues when using NetWitness Investigate.
Event Analysis Issues
|Message||Investigation Profiles/OOTB column groups are not present in Event Analysis|
|Issue||Post upgrade to RSA NetWitness v11.1, the default column groups - Endpoint Analysis, Outbound SSL and Outbound Http are not added under column groups. Also, few of the Investigation Profiles are missing post upgrade.|
It is observed that this issue occurs only when you have created a custom column group with the name which is same as one of the new 11.1 OOTB custom column group name. For example, if you create a custom column group in 11.0 with name RSA Endpoint Analysis then after upgrade to 11.1. Due to the same name already existing in 11.1, OOTB column groups and OOTB profiles will not be available in the UI.
To fix this, change the name of custom column group to something else and restart the jetty server by using the following command on the NetWitness server:
systemctl restart jetty
|Message||Applicable for hosts with 4.x Endpoint agents installed, please install the NetWitness Endpoint Thick Client.|
|Issue||When you click Pivot to Endpoint in the Event Analysis view, no data is displayed and the message is displayed.|
|Explanation||Version 4.4 of the NetWitness Endpoint Thick Client must be installed on the same server, the NWE meta keys must exist in the table-map.xml file on the Log Decoder, and the NWE meta keys must exist in the index-concentrator-custom.xml file. The NWE Thick Client is a Windows only application. Complete setup instructions are provided in the NetWitness Endpoint User Guide for Version 4.4.|
|Message||Event Analysis requires all core services to be NetWitness 11.1. Connecting prior versions of services to the 11.1 NetWitness Server results in limited functionality (see "Investigate in Mixed Mode" in the Physical Host Upgrade Guide).|
|Issue||When attempting to investigate a service that has not been updated to Version 11.1 in the Event Analysis view, the informational message is displayed.|
|Explanation||When an analyst opens the Event Analysis view in mixed mode (that is, some services are upgraded to 11.1 and some are still on 11.0.0.x or 10.6.x), Role-Based Access (RBAC) is not applied uniformly. This affects viewing and downloading content, and validation of filters in the interactive breadcrumb. You will see this informational message when you open Event Analysis. As you select a service, services that are not up to date are displayed in a red box, with the message that the service is not up to date. When your administrator has upgraded all connected services to 11.1, these features work as expected.|
|Message||Forbidden. You cannot access the requested page.|
|Issue||When attempting to access the Event Analysis view, the view opens with the message.|
|Explanation||Your administrator has prevented access to the Event Analysis view using role and permissions.|
Insufficient permissions for the requested data.
|Issue||While attempting to access an event in Event Analysis by any means, the reconstruction is not displayed and the message is displayed.|
|Explanation||You have entered an event ID for an event that you do not have permission to view. The administrator may have placed some restrictions to limit access by role and permissions.|
|Message||Invalid session ID: <<eventId>>|
|Issue||No sessionId matches the sessionId that you queried.|
|Explanation||The reason for an invalid session ID can vary. Perhaps you edited the session ID manually, and no such session exists. Another case may be when you query a Broker, and the aggregated data has not been refreshed, you may see this error for a session that no longer exists.|
|Message||No text data was generated during content reconstruction. This could mean that the event data was corrupt/invalid, or that an administrator has disabled the transmission of raw endpoint events in the Endpoint server configuration. Check the other reconstruction views.|
|Issue||When you reconstruct an event as text in the Event Analysis view, no data is displayed and the message is displayed.|
|Explanation||If you do not see the raw text in other Event Analysis views or Events view reconstructions, and you believe the data is not corrupted or invalid, your administrator has likely disabled transmission of raw endpoint events on the NetWitness Endpoint server. Contact your administrator for additional information.|
Session is unavailable for viewing.
|Issue||While querying an event ID, the reconstruction is not displayed and the message is displayed.|
|Explanation||The query you entered is trying to look at restricted data, for example, if you are allowed to see only log data and you are using a link to network data that you were allowed to see yesterday.|
|Message||The session id is too large to be handled:<<eventId>|
|Issue||The sessionId integer that you typed in, edited, or got from the Events view or Navigate view is too large.|
|Explanation||If you manually typed the sessionId or edited a sessionId in the Event Analysis view, you may have created an integer that is too large for Event Analysis to process.|
While creating a filter in the Event Analysis view, you cannot enter a complex expression using the AND or OR operator in Query Builder.
|Issue||The query builder in the Event Analysis view supports only simple expressions in the form <meta key><operator><meta value>.|
If you want to enter a filter that uses the AND or OR operator, you need to enter the query it from the Navigate view or Events view and then open it in the Event Analysis view. You can enter some complex expressions as two separate filters in the Event Analysis view. The filters will be AND'd when you execute the query.
Hosts View Issues
|Message||An error has occurred. The Endpoint Server may be offline or inaccessible.|
|Issue||When attempting to access the Hosts or Files view, the view opens with the message.|
Endpoint Server or Nginx Server is not running. Check the status of the Endpoint Server under Admin > Service or check if the Endpoint Server host IP address is registered with the Admin Server. For more information, see the RSA NetWitness Suite Physical Host Installation Guide or RSA NetWitness Suite Virtual Host Installation Guide. If the service is not running, start the Endpoint Server.
The Hosts and Files views do not load in the Safari browser.
When you open the Ember pages in the Safari browser with a non-trusted SSL certificate, the Hosts and Files views do not load. To load the views.
1. Click the Show Certificate pop-up menu.
2. Enable the Always trust NetWitness when connecting to <IP Address> checkbox.
3. Click Continue.
4. Enter your username and password.
5. Click Update Settings.
|Message||No process information was found.|
|Issue||When attempting to access the Process or Libraries tab in the Host Details view, the detailed host information is not available, and the view opens with the message.|
Scan data is not available due to any of the following reasons:
|Behavior||Meta values will take time to load.|
|Issue||Meta values are not set to index by values.|
During investigation, while pivoting to the Navigate or Event Analysis view from the Files view, if the filename or hash (SHA256 and MD5) are not set to index by values, the matching results take time to load as the Concentrator must generate the index by accessing the meta database and retrieving value of the meta for each event. You have to manually index the values before pivoting.
|Issue||Filtering files takes a longer time to load results on the UI.|
In the Files view, while filtering files with the Contains operator, the results takes a few seconds to load on the UI. You must use at least one indexed field with the Equals operator while filtering the files.