The Endpoint Server shows the status as yellow in health and wellness for the endpoint service only, and in the UI when navigating to the Investigate>Hosts page it shows the Endpoint Server as offline.
The cause of this issue is the config server. The address of the Endpoint server that is saved in the mongodb gets cleared (possibly during a reboot of the endpoint). During orchestration, the Admin server's mongodb gets updated with the Event Stream Analysis's IP address instead of the Endpoint servers. This causes the system to try and connection to the ESA mongodb, and it is rejected. Thus the UI shows the Endpoint server offline in some investigate pages.
The resolution is to perform the following steps:
1. On the Endpoint Server run the following command and replace <AdminServer-NODE-ID> with the Admin server's Node ID:
Retrieving value from Config-Server for property: nw:rsa.data.application.servers <ESA-NODE-ID>
3. On the Admin server run the following command to get the prop-identity needed for the next command:
4. On the Admin server run the following command with the prop-identity retrieved from the previous command:
security-cli-client --get-config-prop --prop-name rsa.data.application.servers --prop-identity <EP's Service ID> -b <AdminServer-NODE-ID>
The output of the Endpoint's Node ID will be as follows. If this output does show the correct Endpoint Node ID, stop and contact NetWitness Support as the the fix is beyond the scope of this article. However, if the NODE ID provided by this output is not the correct one for the Endpoint server, proceed to the next step.:
Retrieving value from Config-Server for property: <prop-identity>:rsa.data.application.servers<EP-NODE-ID>