Troubleshooting

This topic provides information about possible issues that NetWitness users may encounter when setting up their ContextHub service in NetWitness.

Problem Solutions

Prefetch for list fails if the list is created in append mode.

Details:

The following error message is displayed in logs indicating that, entries in list exceeds the max allowed.

Error setting data source entries com.rsa.asoc.contexthub.exception.ContextHubException: total.entries.exceed.max

Also, Health & Wellness sets the stat - Contexthub.Datasource.Health.Data-Sources-Health to Unhealthy and displays the names of the lists for which prefetch has failed.

For example, number of entries in the list are 50001 and number of records in the CSV file are 50001 (user did not change the csv since last prefetch.). Upper limit on number of entries in list is 100,000. Now on prefetch, Context Hub will try to append 50001 entries to the list but since 50001 + 50001 > 100,000, prefetch fails.

Solutions:

You should add only those entries in the .csv file which they wish to append to the existing .csv file. If, you do not want to append any entries to the list then perform one of the options, as applicable:

  • If you created the list with headers: remove all rows from the csv except the header.
  • If you created list without headers: you should have 0 rows in csv.

The Respond service is not able to send incidents to Archer with third party signed certificates.

As a workaround, you need to run a command to add a PEM certificate to the Respond trust store

Run the following command on the Respond host:

security-cli-client --add-trusts -s respond-server -x <pem_certfilename> -u <username> -k <password>

Where:

  • <pem_certfilename> is the name of the certificate file.
  • <username> and <password> are your NetWitness administrator credentials.

SSL handshake with Archer certificate fails while adding it as a data source.

Use an archer generated certificate with the Trust All Certificates option configured.

Pivot to Investigate option on the Respond page does not navigate to the correct link.

When you stop and restart the RabbitMQ server, the Pivot to Investigate option available on the respond screen is not visible. And the context panel for Pivot to Investigate reopens the same page. You need to restart the jetty service on the NetWitness Server, login to the NetWitness Server Host and enter the service jetty restart command.

When you import a list with missing quotes such as "172.16.0.0, the list is saved without any data to display.

This is because of the Apache bug (CSV-141), which does not parse CSV files with incorrect formats.

To fix, import a list with correct quotes to avoid displaying an empty file. For example, “172.16.0.0”, “host.mycompany.com” and so on.

Increasing the limit settings for Alerts and Incidents leads to lookup error.

By default, the limit settings to view number of Alerts and Incidents is set to 50. If the limit is increased, the looked-up meta for alerts and incidents may lead to lookup error. This happens due to an internal database restriction.

Make sure to keep the limit for viewing number of Alerts and Incidents to 50 or less.

Multiple incident and alert tabs are displayed while editing advanced configuration of Respond datasource.

You must delete duplicate entries in the Context Hub MongoDB and restart the MongoDB Context Hub Server. Perform the following:

  1. Log in to control MongoDB on Admin Server.

  2. Go to contexthub-server > ds_meta collection.

    Note: Make a note of '_id' value of duplicate entries for the incident and alerts documents that you want to delete.

  3. In the ds_meta collection, delete 1 Incident and 1 Alert document.
    Once the duplicate entries are deleted only 1 Incident and 1 Alert type document will be available in the ds_meta collection.

  4. Log in to application MongoDB on ESA Primary.

  5. Go to contexthub-server, locate and delete the below collections:

    • ds_entries*_*<id-of-incident-doc-deleted-in-step 3>
    • ds_entries*_*<id-of-alert-doc-deleted-in-step 3>

  6. Under bookmark_store collection, locate and delete documents with id same as _id of Incident and Alert from ds_meta collection.

  7. Restart Context Hub Server.