Troubleshoot Reporting

This section provides troubleshooting instructions for issues faced when using the Reporting module in NetWitness.

Configuring SFTP Server Issue


Try the following steps if you face any issues while configuring the Linux SFTP server:

  1. If the Report Output Action for the configured SFTP fails, you must SSH to the SFTP server and try to connect locally to check if SFTP is working fine.

    Connect to SFTP server:


  2. If the Local connection fails, open the file sshd_config> vi /etc/ssh/sshd_config.
  3. Check for the entry in the file:

    # override default of no subsystems
    Subsystem sftp /usr/libexec/openssh/sftp-server

  4. If this entry does not exist, add the two lines mentioned in Step 3 at the bottom of the file and Save it.
  5. Restart service from SSH > service sshd restart.
  6. Retry the SFTP connection now.
  7. Make sure SFTP port is not blocked by SA server appliance firewall. Update iptables rules to allow sftp port.

Meta Values in Investigation Link Issue

Issue When the device information on the datasource is changed, the Investigation link for the meta values of the executed reports is not displayed on the NWDB results page.

Remove and re-add the datasource to Reporting Engine.

Note: This workaround is not applicable for reports that are already generated.

Internet Explorer 10 Browser Issue

Issue When you click the Test Rule multiple times in quick succession, results with large input data may not displayed in Internet Explorer 10.

If this issue occurs, try one of the following steps:

  • Close the Test Rule window on Internet Explorer 10 and run the test again.
  • Use other browsers like Chrome or Mozilla Firefox to test the rule execution.

Dynamic List Editing Issue

Issue A dynamic list cannot be added from the Edit option on the 'View All Schedules' page to an existing schedule.

1. Reports > Select the report >

2. Click the #Schedules for the specific report

3. Select the schedule to be modified from the Report Schedule page

4. Edit the schedule

Deployment Failure Issue

Issue Deployment of reports fail, if the dependencies of certain compliance reports in Live are not deployed prior to the reports.

Retry the deployment. If the problem persists, try to deploy the rule or list dependencies first and then deploy the reports.

Respond Server Issue

Issue When the Forward Alerts to Respond option is enabled and RabbitMQ connections to the Respond Server are blocked, some of the Reporting Engine threads may be blocked.

Disable the Forward Alerts to Respond option until the RabbitMQ broker in the NetWitness server at the Respond has begun and accepts the connections.

Post-Upgrade Issue

Issue Post-upgrade from 10.6.x to 11.2, Categories meta for incident collection is not supported.

When using the Categories meta for incident collection, the results rendered are in an incorrect format. Hence this meta is not supported and you cannot use the categories meta in either select clause or where clause. Also, it is not available in the list of metas for selection in the Rule Builder page.

Report Query Timeout Issue

Issue When scheduling the report, if you choose a high time range, the query may timeout with the error message Query on channel 12345 was canceled by the system for exceeding time usage limits. Check timeout values.

Set the Summarize option to None in the Build Rule view to exclude the Group-By clause (that is performance intensive) and then re-schedule the report. If the query still times out after 60 minutes, increase the timeout value from 60 minutes to 90 minutes on all the core services.

To increase the timeout value:

  1. Go to Admin > Services > Security > Users and set the Core Query Timeout to 90 minutes.

  2. Enter the Service Admin Password and click Save.

  3. Re-schedule the report.