Troubleshooting NetWitness Endpoint

This section provides information about possible issues when using NetWitness Endpoint.

General Issues

Issue

Some of the hosts or files data are not displayed when Endpoint Broker is selected for querying.

Solution

The Endpoint Broker aggregates data from all Endpoint Servers, which responds within 10 seconds. You must increase the query timeout value to see the result of Endpoint server that is online. Perform the following:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Endpoint Broker service.
  2. Click netwitness_actions_icon.png > View > Explore.
  3. Click endpoint/broker node.
  4. In the query-timeout field increase the value, for example, 30 seconds.

Issue

The Endpoint Agent is unable to communicate with the Endpoint Server. The connection may not be established due to any of the following issues:

  • UDP
  • HTTPS
  • Firewall
Solution
  • To verify the UDP or HTTPS connection, you must verify the connection between Windows Endpoint Agent and Endpoint Server:
    1. Go to System32 folder using the following command:

      cd C:\Windows\System32

    2. Execute the following command:

      <Agent Service name>.exe /testnet

      For example, NWEAgent.exe /testnet

  • If the issue is with the firewall, check the incoming and outgoing firewall rules.
Issue

The Endpoint Agent is unable to communicate with the Log Decoder. The connection may not be established due to any of the following issues:

  • UDP
  • TCP
  • TLS
  • Firewall
Solution
  • To verify the UDP, TCP, and TLS connection, you must verify the connection between Windows Endpoint Agent and the Log Decoder:
    1. Go to System32 folder using the following command:

      cd C:\Windows\System32

    2. Execute the following command:

      <Agent Service name>.exe /testlognet

      For example, NWEAgent.exe /testlognet

  • If the issue is with the firewall, check the incoming and outgoing firewall rules.

Multi-server Issue

Issue

Agent is not communicating with the Endpoint Server after migration.

Solution

Check the Nginx logs of the Endpoint Server to which the agent has migrated, and if the agent is communicating with error code 403, that means the certificate of the first Endpoint Server and second Endpoint Server are different. This is because during the installation of second Endpoint Server, the certificate of first Endpoint Server is not copied to the second Endpoint Server.

Reinstall the second Endpoint Server by copying the certificate of first Endpoint Server, and reinstall the agent. For more information, see the Physical Host Installation Guide.

Hosts View Issues

Message An error has occurred. The Endpoint Server may be offline or inaccessible.
Issue When attempting to access the Hosts or Files view, the view opens with the message.
Explanation

Endpoint Server or Nginx Server is not running. Check the status of the Endpoint Server under netwitness_adminicon_25x22.png (Admin) > Services or check if the Endpoint Server host IP address is registered with the Admin Server. For more information, see the Physical Host Installation Guide or Virtual Host Installation Guide. If the service is not running, start the Endpoint Server.

Issue

Hosts view shows 'No Results Found.' error in the following scenario:

  • Host A belongs to Endpoint server A and does not exist in Endpoint server B.

  • Endpoint server B is selected in Hosts view.

  • In a new window/tab, open the Host details page (of Host A)

  • Navigate to Hosts view using [Host Name] > Actions > Pivot to Investigate > Hosts/Files

    Endpoint server B is selected by default, and the page shows 'No results found.' error.

Explanation

This is expected behavior. The Endpoint server that is selected first is considered to be current /active throughout the session.

Workaround

Ensure the correct Endpoint server is selected, and Pivot to Investigate > Hosts/Files will behave normally.

Issue

For MFT download:

  1. The request fails with file not found error for drives/mount paths created on the machine after agent is installed.

  2. Incorrect MFT is downloaded for the provided NTFS mount path.
Solution Make sure that the agent version is 11.6 or later.

Files View Issues

Issue Unable to analyze events from Hosts and Files view.
Explanation

Other than Broker or Concentrator, if any aggregation service, such as Archiver, is aggregating data from the Log Decoder that is configured for metadata forwarding from any Endpoint server, clicking Analyze Events from Hosts and Files view for this Endpoint server may not work. To resolve this issue:

Note: To get the investigate-service-id:
1) Go to netwitness_adminicon_25x22.png (Admin) > Services > Concentrator service.
2) Click netwitness_actions_icon.png > View > Explore tab.
3) Expand the sys/stats node list.
4) In the UUID filed, copy the value.

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services > Endpoint Server service.
  2. Click netwitness_actions_icon.png > View > Explore tab.
  3. In the endpoint/investigate field, specify the investigate-service-id.

Policy Issue

Issue Policy status in the Policy Details panel is not updated or shows Policy Unavailable/Permission Required.
Explanation

Policy Unavailable - Hosts belong to previous versions, such as NetWitness Platform 11.1 or 11.2, where a policy is not applied.

Permission Required - If you do not have permissions, see the "Role Permissions" topic in the System Security and User Management Guide.

Issue Policy Status shows error.
Explanation

Policy may have wrong configurations. Check the error description, logs in Endpoint server, and audit logs for details. Contact your system administrator with the error details.

Driver Issue

Issue While loading the driver on the host, an error is encountered.
Explanation

Check the driver error code in the Agent-Driver Error Code column under Hosts view. Contact your system administrator with the error code.

Download Issue

Issue

Downloads (Files, MFT, System/Process dumps, etc.) fail at times.

Explanation

Downloads fail when there is not sufficient disk space on the Endpoint Server.

Workaround

Clean up some disk space and try downloading again. We recommend you keep sufficient disk space before initiating any download.

File Reputation Service Issue

Issue When you configure RSA Live for the first time and the File Reputation service is not connected.
Solution

You must manually enable the File Reputation service. To enable the File Reputation service:

  1. Go to netwitness_adminicon_25x22.png (Admin) > System > Live Services.
  2. In the Additional Live Services section, select the enable File Reputation check box.
  3. Click Apply.

Risk Scoring for Hosts or Files Issue

Issue NetWitness Endpoint takes a long time to process risk scoring for Hosts or Files.
Solution

Check the backlog of alerts for risk scoring.

  1. SSH to the ESA Primary appliance.

  2. Execute the following command:

    mongo respond-server --authenticationDatabase admin -u deploy_admin -p <deploy_admin_password> --eval 'db.staging.find({"$or":[{state:"STAGED"},{state :"WORKING"}]}).count()' --quiet

    The backlog count is displayed. If the backlog count is 1 million or greater, you must disable the risk scoring and Endpoint ESA alerts.

  3. To disable risk scoring:

    1. Go to netwitness_adminicon_25x22.png (Admin) > Services > Respond service.

    2. Click netwitness_actions_icon.png > View > Explore.
    3. Expand the respond/scheduled/jobs node list.

    4. In the risk-scoring-enabled field, set the value to false.
  4. To disable Endpoint ESA alerts:

    1. To disable NetWitness Endpoint ESA alerts generation for severity; Critical, High and Medium.

      1. Go to netwitness_configureicon_24x21.png (Configure) > ESA Rules.

        The Configure view is displayed with the Rules tab open.

      2. In the Options panel, under Deployments, select the Endpoint deployment to delete.
        A confirmation dialog is displayed.

      3. Click Yes.
    2. To disable only Medium severity NetWitness Endpoint ESA alerts:
      1. Go to netwitness_adminicon_25x22.png (Admin) > ESA Correlation service (on which Endpoint deployment is added).
      2. Click netwitness_actions_icon.png > View > Explore.
      3. Expand the correction/alert node list.
      4. In the transient-enabled field, set the value to false.

Endpoint Broker/Server Issue

Issue User have access to one Endpoint server and unable to access the other.
Explanation

Reach out to the administrator and check if you have access to that endpoint servers. Request for access if required.

Issue In the Endpoint Server Broker view, the user can scan hosts that belong to a particular Endpoint server but cannot scan hosts that belong to another Endpoint server.
Explanation

User may not have access to that endpoint server. Check with the Administrator to see if the user has access.