This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Issues regarding 10.3, welcome to comment

Go to solution
huanzhou1
Beginner
Beginner

‎2013-12-05 07:22 AM

Today i was working on SA for packet, the appliance shipped with 10.3, after few round testing, some issues made us decided to roll back 10.2 SP2, below are the issues:

1. Malware cloud(community) not able to activate, roll back 10.2 SP2(with same CID) resolved issue.

2. Broker missing meta value. The new index-broker.xml only has one entry regarding time. From the testing, malware not able to get any files to analyse. If target to concentration, everything works. Roll back to 10.2 SP2 resolved issue.

 

I searched KB, so far no 10.3 issues yet. maybe need to wait 10.3 SP1.

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
RSAAdmin
Beginner
Beginner

‎2013-12-05 03:47 PM

The reason index-broker.xml only has time is that it is no longer necessary to update the index on a broker.  It gathers it's language from all the downstream devices.  So it the broker talks to 3 concentrators, it will make the language call to the 3 concentrators and merge the results.  It is only necessary to maintain the language on the concentrators.

 

However, if you feel it necessary, you are welcome to define a language in index-broker-custom.xml.  That will be used if it's provided.  The only time that would be necessary is if all devices are offline and you still want a full language returned.

View solution in original post

0 Likes
11 REPLIES 11

Go to solution
RSAAdmin
Beginner
Beginner

‎2013-12-05 03:47 PM

The reason index-broker.xml only has time is that it is no longer necessary to update the index on a broker.  It gathers it's language from all the downstream devices.  So it the broker talks to 3 concentrators, it will make the language call to the 3 concentrators and merge the results.  It is only necessary to maintain the language on the concentrators.

 

However, if you feel it necessary, you are welcome to define a language in index-broker-custom.xml.  That will be used if it's provided.  The only time that would be necessary is if all devices are offline and you still want a full language returned.

0 Likes

Go to solution
huanzhou1
Beginner
Beginner
In response to RSAAdmin

‎2013-12-05 07:35 PM

Hi Scott,

The problem is from the concentration i'm able to find the meta value, but from broker cannot. The broker is aggregating from the concentrator. Is there any additional settings need to be configured?

 

Thanks.

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to huanzhou1

‎2013-12-05 07:44 PM

No, there shouldn't be, but I'd like to diagnose this further.  If you don't mind, can you use explorer view, NwConsole or a browser and attach the output of the "/sdk language" command from both the broker and concentrator?  Also, let me know which meta key you see on the concentrator but not the broker.  For the language call, just pass "size=300" as the only parameter, which should be large enough to see all the keys.

 

In addition, if you could capture the audit log of the language call sent by the broker to the concentrator, I'd like to see that as well.

 

Thanks

0 Likes

Go to solution
huanzhou1
Beginner
Beginner
In response to RSAAdmin

‎2013-12-09 12:27 AM

Hi Scott,

 

Let me setup my testing lab and update you.

 

Thanks.

0 Likes

Go to solution
huanzhou1
Beginner
Beginner
In response to RSAAdmin

‎2013-12-10 12:41 PM

Hi Scott,

 

In my own lab system, everything is ok now. I'm not sure what happened in the customer setup.

same for the malware community access, in my lab there is no issue.

 

Maybe some unique issue. Anyway already 10.2 SP2.

 

Thanks for the help.

0 Likes

Go to solution
AdamRasnick
Beginner
Beginner
In response to RSAAdmin

‎2013-12-19 06:08 PM

If this is the case, then why does it only return events with "Time" in the select field.  Using Informer, I can not return any results if I ask for anything other than time in the select field.  If what you say is true, then why doesnt it call the language keys from "down river"?

 

Attached is the same /sdk language command you mentioned earlier...i just dont understand how i can see the language there but not in Informer...?

Preview file
18 KB
0 Likes

Go to solution
huanzhou1
Beginner
Beginner
In response to AdamRasnick

‎2013-12-19 07:03 PM

had the same issue 1 again:

1. Malware cloud(community) not able to activate

For issue 2. Broker missing meta value, i waited for a few  seconds then the meta came in. but if concentrator doesn't have the meta in the meta group, it will still show 'missing meta' in the broker.



0 Likes

Go to solution
Anonymous
Not applicable
In response to huanzhou1

‎2013-12-20 01:13 PM

For the first question, you will need to register your device ID with support for Community results to work.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.