This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
      • Netwitness XDR
      • EC-Council Training
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
    • Role-Based Training
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by NetWitness experts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Knowledge Base
  • RSA NetWitness Endpoint Agents are not reflected on UI
  • Options
    • Subscribe to RSS Feed
    • Bookmark
    • Subscribe
    • Printer Friendly Page
    • Report Inappropriate Content

RSA NetWitness Endpoint Agents are not reflected on UI

Article Number

000001332

Applies To

RSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Endpoint Log Hybrid
RSA Version/Condition: 11.3.x, 11.4.x
Platform: CentOS 7

Issue

Endpoint Agents are not reflected on UI under Investigate >>> Hosts although NWEAgent Service is running.
 

Cause

Most properly the connection on Port TCP/443 is not established, either there is blockage point in the path between the Agent and the server or we do have a mismatch in TLS and Ciphers options.

Resolution

First of all, we need to test the connectivity between the Endpoint Agents and the server on both ports TCP/443 and UDP/444, so use Testnet utility and for more details follow the steps in Article 000038661.

In case there was error similar to the below, it means that the port is open but still the connection is not established.
 
C:\Windows\System32>NWEAgent.exe/testnet

C:\Windows\System32>
**************************************************
* NetWitness Endpoint Agent                      *
* © 2019 RSA Security LLC., All rights reserved. *
**************************************************
Compiled on Apr  1 2019 10:47:28.

- Found service certificate...
- Found service config...
- Service master server 192.168.2.132:443, UDP:444...
- Found service assigned server 192.168.2.133:443, UDP:444...
- Attempting connection with basic socket...
- Resolved address...
SUCCESS: Connected with basic socket.
- Attempting connection with WinHTTP...
ERROR: TestHttpsConnection: Could not connect, and no proxy was found. (Error =
0, Code = 500)
- Attempting UDP beacon test...
- Resolved address...
SUCCESS: Got expected UDP reply.

Next step is to verify that both the Agent and Server can agree on an SSL Protocol (TLSv1.2, TLSv1.3...) and Cipher Suite.

Server Side
  • The Endpoint Server is configured to run in FIPS mode and accept only TLSv1.2. 
  • For the Ciphers, they are listed in /etc/nginx/conf.d/nginx.conf.
[root@EndpointLogHybrid ~]# cat /etc/nginx/conf.d/nginx.conf | grep -i ssl_ciphers
    ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;

Agent Side

Download any third-party tool to list the enabled TLS version and Ciphers such as https://www.nartac.com/Products/IISCrypto/Download.





In the above example, we can see that ECDHE family was disabled.

After enabled them and used the Testnet utility, it shows that the connection is established successfully. 
 
C:\Windows\System32>NWEAgent.exe/testnet

C:\Windows\System32>
**************************************************
* NetWitness Endpoint Agent                      *
* © 2019 RSA Security LLC., All rights reserved. *
**************************************************
Compiled on Dec 10 2019 03:54:23.

- Found service certificate...
- Found service config...
- Service master server 192.168.2.132:443, UDP port 444...
- Found service assigned server 192.168.2.133:443, UDP port 444...
- Attempting connection with basic socket...
- Resolved address...
SUCCESS: Connected with basic socket.
- Attempting connection with WinHTTP...
SUCCESS: Connected over HTTPS with WinHTTP. Server reply : {"serviceId":"9a9e82e
6-0104-4e42-a9fd-75537854a534","serviceName":"endpoint-server","marketingVersion
":"11.4.0.0"}
- Attempting UDP beacon test...
- Resolved address...
SUCCESS: Got expected UDP reply.

Notes

If enabling the ciphers does not work, you can also check to see if there is a proxy in between the agent and the Endpoint Server.
One of the client's machines opens a command prompt with runas administrator option.
Type: netsh.exe winhttp show proxy
The results either state directly connected or display the proxy that is used.

If the output displays a proxy IP, it is best work with the group responsible for managing proxy servers.
A temporary measure would be to config the system to bypass proxy by the following means.

set proxy myproxy
set proxy myproxy:80 "<local>bar"
set proxy proxy-server="http=myproxy;https=sproxy:88" bypass-list="*.domainName.com"



Below web link to Microsoft KB article for more information:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731131(v=ws.10)
 
Tags (12)
  • Customer Support Article
  • KB Article
  • Knowledge Article
  • Knowledge Base
  • NetWitness
  • NetWitness Platform
  • NW
  • RSA NetWitness
  • RSA NetWitness Platform
  • RSA Security Analytics
  • Security Analytics
  • SIEM
2 Likes
Was this article helpful? Yes No
100% helpful (1/1)

In this article

Version history
Last update:
‎2022-11-11 08:56 AM
Updated by:
Administrator nwinfotech Administrator

Related Content

Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.