Investigate: Troubleshooting Investigate

Document created by RSA Information Design and Development on Mar 27, 2018Last modified by RSA Information Design and Development on Apr 25, 2019
Version 6Show Document
  • View in full screen mode

This section provides information about possible issues when using NetWitness Investigate.

Navigate View and Events View Issues


MessageNot indexed; will experience longer than usual load times. in the Manage Meta Groups dialog.

Meta keys in the Manage Meta Groups dialog are marked by a red exclamation point, and the error message is displayed. This can occur when investigating a Broker or Decoder while adding a meta group with meta keys that are not indexed in the index file or the custom index file for the service.

For a Broker, it could mean that the Broker has not begun aggregating data from a Concentrator. In this case the Broker will not have the contents of the custom index file from the aggregate services and the keys will not be indexed.

For a Decoder, it means that the meta keys are not indexed in the Decoder index or custom index file.


To fix the issue on a Broker, log out, log in, and restart the Broker service so that it can aggregate the meta key information from connected Concentrators. To fix the issue on a Decoder, edit the custom index file to index the meta keys, log out, log in, and restart the Decoder service.



When downloaded from the Event Reconstruction view, logs and metadata are always in text format irrespective of the format selected in the Events view.


When you download metadata or a log in the Event Reconstruction view, the format that you selected in the Events view is not used. The exported data is always in text format.


Download metadata and logs from the Events view if you want to use a format other than text format.


Event Analysis View Issues


MessageInvestigation Profiles/OOTB column groups are not present in Event Analysis
IssuePost upgrade to RSA NetWitness v11.1, the default column groups - Endpoint Analysis, Outbound SSL and Outbound Http are not added under column groups. Also, few of the Investigation Profiles are missing post upgrade.

It is observed that this issue occurs only when you have created a custom column group with the name which is same as one of the new 11.1 OOTB custom column group name. For example, if you create a custom column group in 11.0 with name RSA Endpoint Analysis then after upgrade to 11.1. Due to the same name already existing in 11.1, OOTB column groups and OOTB profiles will not be available in the UI.

To fix this, change the name of custom column group to something other than one of the OOTB column groups and restart the jetty server by using the following command on the NetWitness server:

systemctl restart jetty


MessageApplicable for hosts with 4.x Endpoint agents installed, please install the NetWitness Endpoint Thick Client.
IssueWhen you click Pivot to Endpoint in the Event Analysis view, no data is displayed and the message is displayed.
ExplanationVersion 4.4 of the NetWitness Endpoint Thick Client must be installed on the same server, the NWE meta keys must exist in the table-map.xml file on the Log Decoder, and the index-concentrator-custom.xml file on the Concentrator. The NWE Thick Client is a Windows only application. Complete setup instructions are provided in the NetWitness Endpoint User Guide for Version 4.4.


MessageEvent Analysis requires all core services to be NetWitness 11.1. Connecting prior versions of services to the 11.1 NetWitness Server results in limited functionality (see "Investigate in Mixed Mode" in the Physical Host Upgrade Guide).
IssueWhen attempting to investigate a service that has not been updated to Version 11.1 in the Event Analysis view, the informational message is displayed.
ExplanationWhen an analyst opens the Event Analysis view in mixed mode (that is, some services are upgraded to 11.1 and later, and some are still on 11.0.0.x or 10.6.x), Role-Based Access (RBAC) is not applied uniformly. This affects viewing and downloading content, and validation of filters in the interactive breadcrumb. You will see this informational message when you open Event Analysis. As you select a service, services that are not up to date are displayed in a red box, with the message that the service is not up to date. When your administrator has upgraded all connected services to 11.1 and later, these features work as expected.


MessageForbidden. You cannot access the requested page.
IssueWhen attempting to access the Event Analysis view, the view opens with the message.
ExplanationYour administrator has prevented access to the Event Analysis view using role and permissions.



Insufficient permissions for the requested data.

IssueWhile attempting to access an event in Event Analysis, the message is displayed.
ExplanationYou have entered an event ID for an event that you do not have permission to view. The administrator may have placed some restrictions to limit access by role and permissions.


MessageInvalid session ID: <<eventId>>
IssueNo sessionId matches the sessionId that you queried.
ExplanationThe reason for an invalid session ID can vary. Perhaps you edited the session ID manually, and no such session exists. Another case may be when you query a Broker, and the aggregated data has not been refreshed, you may see this error for a session that no longer exists.


MessageNo text data was generated during content reconstruction. This could mean that the event data was corrupt/invalid, or that an administrator has disabled the transmission of raw endpoint events in the Endpoint server configuration. Check the other reconstruction views.
IssueWhen you reconstruct an event as text in the Event Analysis view, no data is displayed and the message is displayed.
ExplanationIf you do not see the raw text in other Event Analysis views or Events view reconstructions, and you believe the data is not corrupted or invalid, your administrator has likely disabled transmission of raw endpoint events on the NetWitness Endpoint server. Contact your administrator for additional information.



Rule Syntax error: Unrecognized key "<meta key or meta entity name>"

Syntax error: Unrecognized key "<meta key or meta entity name>"


While querying a service, the matching events are not listed and the message is displayed in the query console and the Event Analysis view.

error message due to a misconfigured entity

ExplanationThe query you entered is querying a meta entity that is not configured properly. All upstream devices connected to the Broker being queries should have the same entity configuration. This error indicates that the Broker is operating with mismatched entity definitions. Ask your administrator to review the configuration described in "Index Customization" in the Core Database Tuning Guide.



Session is unavailable for viewing.

IssueWhile querying an event ID, the reconstruction is not displayed and the message is displayed.
ExplanationThe query you entered is trying to look at restricted data, for example, if you are allowed to see only log data and you are using a link to network data .


MessageThe session id is too large to be handled:<<eventId>
IssueThe session id that you typed in, or got from the Events view or Navigate view is too large.
ExplanationIf you manually typed the sessionId or edited a sessionId in the Event Analysis view, you may have created an integer that is too large for Event Analysis to process.


You are here
Table of Contents > Troubleshooting Investigate