Article Number
000001578
Applies To
RSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: NetWitness Investigation
RSA Version/Condition: 11.x
Issue
RSA NetWitness uses Device ID's when building out the URL to administer NetWitness Services. For example, when a user wants to change the configuration of a Log Decoder (such as add app rules), they go to Admin>Services>Gear Icon next to the service in question>View>Config. This takes the user to the Config page for that individual service and the URL it redirects to contain the Device ID. These Device IDs are defined automatically when a service is enabled within NetWitness and cannot be changed. Some examples of the URLs that would be built out when choosing to manipulate various aspects of a service would be:
https://192.168.5.190/admin/services/16/config https://192.168.5.190/admin/services/16/infohttps://192.168.5.190/admin/services/16/explorerhttps://192.168.5.190/admin/services/16/logshttps://192.168.5.190/admin/services/16/security In the above examples, these are the important variables:
NW UI Host = 192.168.5.190
16 = Log Decoder Device ID
config = Service Configuration Page
info = Service System Page
explorer = Service Explore Page
logs = Service Logs Page
security = Service Security Page
After running the nwsetup-tui wizard in upgrade mode on a NW 11.x Admin server, some of these Device IDs (16 in our above example) may be incorrect. This issue would manifest itself with symptoms like
- Being Redirected to the default Admin>Services page on the UI when attempting to drill down into a particular server
- Being Redirected to the correct page but it is showing the wrong service's information
- Being unable to navigate/investigate particular Concentrators or Brokers
Cause
During the upgrade, legacy Device IDs are inserted into a Mongo Database (sa\mapping) on the newly upgraded NW 11.x instance. If these references are incorrectly mapped or duplicated, the above symptoms may be observed when attempting to administer or navigate some or all services.
Note: Only seen with NetWitness versions 11.x that have been upgraded from 10.6.x. This issue is not likely to occur in fresh installs of NW 11.x
Resolution
The resolution is to wipe out the sa\mapping collection within Mongo and restart the legacy UI webserver (jettysrv), which forces the mappings to be rebuilt with the accurate information. This can be achieved with the following steps:
- SSH to the NW Admin UI Server. In my above example, it is 192.168.5.190
- Connect to mongo using the deploy password with the following syntax: mongo admin -u deploy_admin -p <deploy_password_configured_at_upgrade>
- Execute the following command to clear out the sa\mapping collection: db.getSiblingDB('sa').getCollection('mapping').remove({})
- Exit out of mongo with the following command: exit
- Restart the legacy UI webserver to rebuild the entries within the sa\mapping collection with the following command: systemctl restart jetty
Jetty may take several minutes to come back up (5-10) and during this time users will be unable to use the UI.