The following error is seen in the Security Analytics UI when attempting to run a report:
Failed To Retrieve Distinct Values For Specific Field Across Range [range number 1] To [range number 2]: 408 Request Timeout
An error similar to the following is observed in the /var/lib/netwitness/uax/sa.log file while executing the report in the Security Analytics UI, noting that the rsaadmin job id is variable:
[org.springframework.scheduling.quartz.SchedulerFactoryBean#0_Worker-6] INFO org.quartz.core.JobRunShell - Job rsaadmin.12345-6789-abcd123abcd threw a JobExecutionException: org.quartz.JobExecutionException: Error uploading file to device at com.rsa.smc.sa.core.job.NextGenUploadFileJob.checkForFailedUpload(NextGenUploadFileJob.java:179) at com.rsa.smc.sa.core.job.NextGenUploadFileJob.executeJob(NextGenUploadFileJob.java:149) at com.rsa.netwitness.carlos.scheduling.jobs.AbstractJob.execute(AbstractJob.java:61) at org.quartz.core.JobRunShell.run(JobRunShell.java:213) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:557)
This issue occurs due to a timeout configuration change that occurred in RSA Security Analytics 10.3.4. Previously at 10.3.3 and below, higher fixed values were assigned to the two parameters, NWDBqueryTimeout and SchemaTimeout. The difference in values can at times cause larger reports to fail.
A hotfix for this issue has been created for RSA Security Analytics 10.3 SP4 which resolves the issue. Follow the steps below to download and apply the hotfix.
Transfer the file to the Security Analytics server appliance.
Connect to the Security Analytics server appliance via SSH as the root user and navigate to the directory to which the file was transferred.
Stop the reporting engine service with the following command: stop rsasoc_re
Update the re-server package to the new version with the following command: rpm -Fvh re-server-10.3.4.89-4.noarch.rpm
Start the reporting engine service with the following command: start rsasoc_re
If you are unable to apply the hotfix at this time, you may alternately perform these steps to mitigate the issue:
Log into the Security Analytics UI with an administrative account.
Navigate to Administration -> Devices.
Select the Reporting Engine device and click on View -> Config.
In the System Configuration section on the General tab, locate the setting for NWDB Query Timeout.
Change the value to be 2592000, which equates to 30 days in seconds. To change this, double-click on the 0, enter the new value, and hit enter.
Click the Apply button.
Navigate back to Administration -> Devices.
Select the Reporting Engine device and click on View -> Explore.
In the left pane, drill down to com.rsa.soc.re -> Configuration -> NextGenConfiguration -> nextgenConfig.
In the right pane, look at the value for SchemaTimeOut. If its value is 60, double-click the value to change it to 120 and hit enter.
Performing these changes will not impact production, nor do the changes require a service or system restart. While a hotfix is also available, applying the higher timeout values manually mitigates the problem in the same fashion as the hotfix does, as the updated RPM also simply increases the values.