000035862 - Real Time Rules not seen in Admin UI and-or Mitigator is not running in RSA Web Threat Detection

Document created by RSA Customer Support Employee on Oct 11, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035862
Applies ToRSA Product Set: Web Threat Detection
RSA Product/Service Type: Forensics
RSA Version/Condition: 5.x, 6.x
IssueSymptoms can be one or more of the following
  • No real-time rules are seen in the Admin UI
  • Mitigator is not running
  • Rules and Alerts are not firing
CauseIt is possible that there is a missing formatting character or a corrupt migitator.rules file.

1.  Go to Varz and verify if Mitigator is running. 
2. Go to /var/log/messages and look for an error similar to the one below:


ERR 0: rule 000_RULE_NAME_USERAGENT: line 2436: 2436.2-2438.4: syntax error, unexpected RULE, expecting '}

3.  Obtain the mitigator rules from the Customer and save as a JSON file. 

4. Have a JSON parser such as the one available in NotePad++ plugin.

5. Highlight the curly brackets to see if all rules have a beginning and an ending.

6. Start at the rule seen in the error message and add curly braces
    at the end of a rule where no distinction is seen between rules.   
    Add until the first brace in the rule is highlighted.  This should resolve the issue. 

7. Save the file as mitigator.rules and give it back to the Customer to add back into WTD.    

8.  The Customer might also be able to add these directly to the mitigator.rules file by editing with the vi or nano editors.