Negative Policy Numbering

You may see negative numbers in the Order field in the Groups section of the Monitoring Polices tab. This topic describes a workaround to restore the correct numbering scheme for your policies.

Details

The following screen shows an example of the situation where the numbers of group policies become negative.

netwitness_esm_policy_neg.png

If you encounter this situation, drag and drop the top group (All Unix Event Source(s) in the above image) to after the last group (Ciscoasa_Alarm14417). This restores normal, ordinal numbering. You can then continue to drag and drop groups until you have them in their proper order for your organization.

Clean Up Duplicate Messages

  1. Stop collectd on NetWitness and Log Decoders:

    Service collectd stop

  2. Remove the ESM Aggregator persisted file on NetWitness:

    rm /var/lib/netwitness/collectd/ESMAggregator

  3. Reset the Log Decoder.

    1. Navigate to the Log Decoder REST, at http://<LD_IP_Address>:50102
    2. Click decoder(*) to view the properties for the decoder.
    3. In the Properties drop-down menu, select reset, then click Send.
  4. In the Event Sources panel from the Event Sources Manage tab, select all event sources and then click - to remove them.