NetWitness Community

Anonymous · ‎2013-10-29

i am currently working on Virtual Testing Environment of RSA Security Analytics. I have successfully deployed all components(SA server, Concentrator, Decoder and Log Decoder) VM in our Esxi Server. All the components are licensed and active and also working properly. But i have an issue with Reporting Engine whenever i tried to add device Reporting Engine and check test connection, it shows test connection failed and i am not able to add Reporting engine in the Devices.

IP address detail: Example

SA server: 192.168.1.129/24

Concentrator: 192.168.1.88/24

Decoder: 192.168.1.168/24

Log Decoder: 192.168.1.49/24

I am trying to add Reporting Engine on 192.168.1.129 or 127.0.0.1 but its failed on both cases. I have also tried to add Reporting Engine

After redeployment of all VMs and got the same error. Please find the attached Screen shot of the error.

Please help on this issue.

Thanks in advance

Anonymous · ‎2013-10-30

Hi Rajveer,

Can you add the reporting engine using "localhost" in place of the static/loopback IP? If not you may be required to re-initialise the reporting engine, support should be able to assist you with this task.

Craig

AdamRasnick · ‎2013-11-06

I as well use "localhost" and never have any problems. This should fix your problem.

Anonymous · ‎2013-11-06

I've not worked with SA on VM's, but I have had similar issues with collectors in the past. It usually came down to a simple solution that the service wasn't running.

I would check to make sure the service running as well.

stop rsasoc_re
start rsasoc_re

Anonymous · ‎2013-11-07

Hi Craig_RSA, Adam Rasnic, James_herbst

i have also tried with "localhost" but then too i got the same error. well i am trying to take RSA support help but still my case in pending.

And i think if we have not added the reporting engine till then we cant stop and start it. because no reporting service is there.

if i am wrong then plz correct me.

well, thanx for response.

Anonymous · ‎2013-11-07

As I mentioned, I haven't worked with Security Analytics on VM. We have physical appliances; log and packet decoders, concentrators, hybrids, etc. I find it much more reliable to ssh into the appliances to start and stop services. The GUI still has some issues that I don't think have been completely worked out. Hope that makes more sense to what I had said in my last post to your question.

AdamRasnick · ‎2013-11-07

What devices have you deployed and what version are those devices running?

Anonymous · ‎2013-11-07

SA Server (broker/reporting engine/IPDB) x2 (PROD & DR)

Log Decoder x2 (PROD & DR)

Log Concentrator x2 (PROD & DR)

Packet Hybrid (decoder/concentrator) x5 (Multi GEO Locations)

Log Hyrbid (decoder/concentrator/collector) x5 (Multi GEO Locations)

All appliances had 10.0 when I started, currently on the latest release v 10.2 SP2

AdamRasnick · ‎2013-11-07

I think at one point I had the same issue. You might try forcing the update of the reporting engine on the server.

rpm --force -Uvh **re_server RPM filename**

--Not sure if you will need to stop services on the server or not, it probably wouldnt hurt to be for sure though. I think I actually did a full restart on the server afterwards to make sure I had a clean slate for all changes to take effect when it came back up.

huanzhou1 · ‎2013-11-08

try:

[root@saNre ~]# netstat -an | grep 51113

tcp 0 0 ::ffff:127.0.0.1:51113 :::* LISTEN

if no return, that mean service not running.

check:

/home/rsasoc/rsa/soc/reporting-engine/logs/*.log see what's the error when restarting the report engine

if really cannot fix:

uninstall and reinstall (re-server-10.2.5.2-2.noarch.rpm)

NetWitness Community

i am not able to add reporting engine in security analytics