After upgrading to the 12.1 version, Reporting Engine cannot forward logs to SFTP server after finishing the queries due to script issues. As a result, reporting engine report is not saved in the SFTP server.
An error message is displayed on the Report page after enabling Push to Decoder in an alert for a NetWitness Platform Database rule in Reporting Engine. As a result, Report page cannot push the rule to the decoder on the Report page.
Test chart feature in Reports (Reports > Charts > Add new chart > Test Chart) is unable to load with certain time ranges such as 1hr, 3hr, 6hr, 12hr, and 24hr. This issue occurs because Start and End dates are set as required request parameters.
In Endpoint, the Hosts tab is not loading because of the presence of huge bash history for a few agents. As a result, you can see timeouts or delays in mongo.db
Process Tree is not displayed in the Respond Service for high and critical Endpoint alerts (Host> Event Details > View alert Details). This issue occurs when the session ID of the event exceeds the integer limit of 32 bits. As a result, you cannot investigate the events.
While filtering app rules under Decoder (Admin > Services > Decoder > config), the enable and disable functionality is not working correctly. As a result, the display order of any row remains the same and does not update after filtering the rules.
If you download a file from the Events page with Korean characters in the file name, an underscore replaces the Korean characters in the file name. The fix converts the Korean characters of the UTF character set. But the Korean characters of the Non-UTF character set depends on JVM 20 or 21. This will be addressed in future releases.
On failover, recurring custom feeds created before the failover are failing and not getting pushed to the core.
When the log decoder forwards the logs in RFC-3164 format to the other sources, the event destination receives the logs in the format which is specified for higher-order AppRule.
While applying an aggregation filter on Archiver to archiver aggregation, all data aggregates because the aggregation filter does not function. This issue is fixed and Archiver to Archiver aggregation now supports query filters to filter out certain meta keys from sessions during aggregation.
For rabbitmq.log, queue exchange and its binding is not getting created. Hence, it triggers an alarm 'LogCollector Event Process Queue with no Bindings'. In the 12.3 version, the binding commands are part of NetWitness platform.
NwLogDecoder service frequently receives error messages in /var/log/messages because the message upload cannot recognize parameters such as finalCount.
The Jobs (Admin > System > Jobs) with lengthy queries take longer to load. As a result, the load time of the Jobs page is impacted.
Unable to establish a secure connection between ESM and Log Decoders because the certificates that ESM service uses are not available on the Log Decoder nodes. As a result, SMS fails to upload ESM feed files to the connected Log Decoders.
When the user sends an event to ESPER, and then it throws an exception runtime, the details need to be captured and moved to Mongo.DB. But, if the user gets frequent exceptions, the process becomes slow due to many databases writes.
Warehouse Connector Fixes
Avro file processing in the warehouse connector is extremely slow due to large data that causes Avro files to pile up and duplicate.
After rebooting Network Decoder or Log Decoder, an alarm is triggered in Health & Wellness to indicate a Lockbox failure.