Article Number
000001439
Applies To
RSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.1.0.1
Platform: Windows
Issue
RSA Endpoint Insight's Agent has a known bug related to the processing of blank event fields, as seen in Forwarded Events with missing fields. The result is events do not get processed, and log collection ceases to process altogether.
Cause
The root cause is related to error codes associated with blank fields. This is known as error code 13:
- (4028) ** __leave at WinEventFormat.c(274), error 13
This can ONLY be seen by installing an endpoint insights trace agent. Normally, this issue appears as Log Collection that simply never gets sent from the target host to the Log Decoder so it will appear as though days or weeks have gone by since the last log collection event was seen; a Wireshark capture will show no entries sent, even when run on the host machine, because processing stops for log collection as soon as this error appears.
There is a second reason this happens, which is that events are not processed following the first error seen out of the batch of events(in this case, triggered by error 13 but could be caused by any other error). The cause of this is documented in notes in the associated JIRA.
Resolution
There are two possible methods to resolve this issue. The first is to install the version of Netwitness Endpoint Insights that is a part of the 11.3.x release cycle. Any version of 11.3.x will have this fix.
The second is to install a hotfixed version that includes the fix associated with the agent. As these versions are engineering hotfixes, a case should be opened with support to request this fix if 11.3 is not possible to upgrade to.
NOTE: Whether an upgrade is chosen to fix this issue, or a hotfixed agent is used, replacing all existing agents with a new version will be necessary in all instances.
