TroubleshootingTroubleshooting
NetWitness notifies users of issues using pop-up notifications.
NetWitness Workbench returns the following types of error messages explained in the following table.
Problem | Possible Causes | Solutions |
---|---|---|
Unable to connect to workbench service from NetWitness user interface Administration page. | NetWitness service is not running. |
Verify that your NetWitness service is running. Log in to your NetWitness Server and run the following command: status nwworkbench Firewall rules should allow connections from 50007, 50607 and 50107. service iptables status Verify that you are able to launch REST. Execute the following command for your appliance: https://<IPAddress>:50107 service If you are able to launch REST service for your appliance, you can confirm that there is no problem with the appliance. Navigate to the NetWitness side for further investigation as follows:
|
Not able to view Appliance service configuration tab for workbench appliance running in SSL mode. |
Enable SSL for appliance service and restart the appliance service. | |
The following error message is displayed when trying to load meta in order to create a report on a workbench collection: "Unable to fetch schema from data source when trying to load meta." |
Load meta for the appliance from the NetWitness User Interface Rule library and watch for any errors in Reporting Engine log located at: /home/rsasoc/rsa/soc/reporting- Launch REST for the device and watch for any error if you run the following query: /sdk?msg=language&force-content-type=text/plain&expiry=600&size=10 |
|
No results are displayed after running query from NetWitness User Interface via the Reporting Engine. |
Run the query on the Reporting Engine and watch for /var/log/messages on the data source. Look for an exact query that matches the data source. TIP: Search for [SDK-Query] in log file. Copy the exact query and run from REST SDK to see if you get any results. REST Query: /sdk?msg=query&force-contenttype=text/plain&expiry= 600&query=select%20user.dst&size=10 |
|
Workbench Available storage indicator in Workbench Collections Tab is not accurate. |
Available storage indicator in the User Interface displays the default Collections directory shown below: /VAR/NETWITNESS/WORKBENCH/COLLECTIONS |
None. |
Unable to open new collections after opening existing collections. |
There is a workbench configuration called “Max Open Collections” that is set to 25 by default. This configuration specifies the number of collections that can be open at the same time. |
You can modify this number. A setting of zero disables the limit of maximum open collections. |
Successfully opened a collection that got to Ready state. But after a while, the collection automatically changed to Closed state. |
There is a workbench configuration called “collection.timeout” that is set to 1200 seconds by default. This configuration specifies the number of seconds before an idle collection is automatically closed. Maximum time allowed before timeout occurs is 86,400 seconds (24 hours). |
A setting of zero disables the timeout. |
Querying for a time range using /database manifest command returned blank output. |
Blank output indicates that there are no nwdb files available for the time range. |
None. |
Created collection, but collection status is not available in Jobs, and collection is not displayed in workbench Collections tab. |
You might be running in a mixed mode environment (for example, creating a collection on a 10.4.x version of workbench from a 10.5 NetWitness User Interface. | The collection is displayed in the workbench Collections tab after you reload the page. |
Noticed blank Date Range and Date Created values for collections. | All collections display blank Date Range and blank Date Created values. | Date Range and Date Created values are displayed after upgrading to 10.5. |
Discrepancy in behavior of adding workbench collections as a data source to Reporting Engine. |
This behavior depends on whether you have a trusted connection or a non-trusted connection. |
If your workbench service is established with a trusted connection, you should manually add workbench collections as a source to Reporting Engine. If your workbench service is not established with a trusted connection when the workbench restoration collection was created, it automatically sends a message to the Reporting Engine to add it as a source in the Reporting Engine. |
Collection attributes (size, date range and date created) are not displayed. |
Date range is not displayed for a collection if Jetty service is restarted while restoration is in process. Restoration collections created from an Explorer view display a blank Date Range. Any collections created on a 10.4 Workbench will display blank Date Range and blank Date Created values after upgrading to 10.5. In a mixed mode environment (10.5 NetWitness Server and 10.4.x workbench), size, date range, and date created are not displayed. |
None. |
Exception or blank page is displayed when drilling down on a workbench collection. |
Collection closed because it exceeded the collection time out. | Investigate the collection from the beginning. |
Empty collection is created. |
Empty collection is displayed if restoration fails because Workbench service is restarted during collection creation. |
None. |
Service abruptly shuts down. | Run the service from command line and watch for any errors. For an example, run the command from the server console /usr/sbin/NwWorkbench for workbench. | |
REST request denied. |
Verify user.agent.whitelist config located at /rest/config/. If non-blank, this should be a regex expression to match valid HTTP user agents. If the regex fails to match, all REST requests will be denied (see allow.missing.user.agent for the potential exception). If blank, all requests are allowed. |
|
Queries with raw meta return blank values for Raw field. | Verify that you have a relevant packet db. |