The Endpoint Broker aggregates data from all Endpoint Servers, which responds within 10 seconds. You must increase the query timeout value to see the result of Endpoint server that is online. Perform the following:

1. Go to (Admin) > Endpoint Broker service.
2. Click > View > Explore.
3. Click endpoint/broker node.
4. In the query-timeout field increase the value, for example, 30 seconds.

• To verify the UDP or HTTPS connection, you must verify the connection between Windows Endpoint Agent and Endpoint Server:

  1. Go to System32 folder using the following command:

     cd C:\Windows\System32

  2. Execute the following command:

     <Agent Service name>.exe /testnet

     For example, NWEAgent.exe /testnet

• If the issue is with the firewall, check the incoming and outgoing firewall rules.

• To verify the UDP, TCP, and TLS connection, you must verify the connection between Windows Endpoint Agent and the Log Decoder:

  1. Go to System32 folder using the following command:

     cd C:\Windows\System32

  2. Execute the following command:

     <Agent Service name>.exe /testlognet

     For example, NWEAgent.exe /testlognet

• If the issue is with the firewall, check the incoming and outgoing firewall rules.

Check the Nginx logs of the Endpoint Server to which the agent has migrated, and if the agent is communicating with error code 403, that means the certificate of the first Endpoint Server and second Endpoint Server are different. This is because during the installation of second Endpoint Server, the certificate of first Endpoint Server is not copied to the second Endpoint Server.

Reinstall the second Endpoint Server by copying the certificate of first Endpoint Server, and reinstall the agent. For more information, see the Physical Host Installation Guide.

Endpoint Server or Nginx Server is not running. Check the status of the Endpoint Server under (Admin) > Services or check if the Endpoint Server host IP address is registered with the Admin Server. For more information, see the Physical Host Installation Guide or Virtual Host Installation Guide. If the service is not running, start the Endpoint Server.

Ensure the correct Endpoint server is selected, and Pivot to Investigate > Hosts/Files will behave normally.

Other than Broker or Concentrator, if any aggregation service, such as Archiver, is aggregating data from the Log Decoder that is configured for metadata forwarding from any Endpoint server, clicking Analyze Events from Hosts and Files view for this Endpoint server may not work. To resolve this issue:

Note: To get the investigate-service-id:
1) Go to (Admin) > Services > Concentrator service.
2) Click > View > Explore tab.
3) Expand the sys/stats node list.
4) In the UUID filed, copy the value.

1. Go to (Admin) > Services > Endpoint Server service.
2. Click > View > Explore tab.
3. In the endpoint/investigate field, specify the investigate-service-id.

Policy Unavailable - Hosts belong to previous versions, such as NetWitness Platform 11.1 or 11.2, where a policy is not applied.

Permission Required - If you do not have permissions, see the "Role Permissions" topic in the System Security and User Management Guide.

Policy may have wrong configurations. Check the error description, logs in Endpoint server, and audit logs for details. Contact your system administrator with the error details.

Check the driver error code in the Agent-Driver Error Code column under Hosts view. Contact your system administrator with the error code.

Clean up some disk space and try downloading again. We recommend you keep sufficient disk space before initiating any download.

You must manually enable the File Reputation service. To enable the File Reputation service:

1. Go to (Admin) > System > Live Services.
2. In the Additional Live Services section, select the enable File Reputation check box.
3. Click Apply.

Check the backlog of alerts for risk scoring.

1. SSH to the ESA Primary appliance.

2. Execute the following command:

   mongo respond-server --authenticationDatabase admin -u deploy_admin -p <deploy_admin_password> --eval 'db.staging.find({"$or":[{state:"STAGED"},{state :"WORKING"}]}).count()' --quiet

   The backlog count is displayed. If the backlog count is 1 million or greater, you must disable the risk scoring and Endpoint ESA alerts.

3. To disable risk scoring:

   1. Go to (Admin) > Services > Respond service.

   2. Click > View > Explore.

   3. Expand the respond/scheduled/jobs node list.

   4. In the risk-scoring-enabled field, set the value to false.

4. To disable Endpoint ESA alerts:

   1. To disable NetWitness Endpoint ESA alerts generation for severity; Critical, High and Medium.

      1. Go to (Configure) > ESA Rules.

         The Configure view is displayed with the Rules tab open.

      2. In the Options panel, under Deployments, select the Endpoint deployment to delete.
         A confirmation dialog is displayed.

      3. Click Yes.
         
   2. To disable only Medium severity NetWitness Endpoint ESA alerts:
      1. Go to (Admin) > ESA Correlation service (on which Endpoint deployment is added).
      2. Click > View > Explore.
      3. Expand the correction/alert node list.

      4. In the transient-enabled field, set the value to false.
         

Reach out to the administrator and check if you have access to that endpoint servers. Request for access if required.

User may not have access to that endpoint server. Check with the Administrator to see if the user has access.