NetWitness Community

Summary:

An issue has been discovered with the new Extended Metadata feature introduced in 12.5.0. This feature allows network or log decoders to store meta values for configured meta keys beyond the default limit of 256 bytes. Usage of this feature can lead to an archiver or concentrator failure state.

 Affected Products:

NetWitness 12.5.x

Recommendation:

• Refrain from using the Extended Metadata feature until a fix is available to fix the issue. Follow below steps depending on your situation.

Scenario 1: Install/upgrade to 12.5.1

Note: If the checksum of the downloaded 12.5.1 zip file is 5455c959ed5082ff068a27575b863c00d47053db5fd9166f995ba2bc24ff84e8, extract the files and verify if the build number matches with any of the following. The following scenario is applicable only if the build number matches with one of the following.

• rsa-nw-decoder-12.5.1.0-12978.5.d0e8470c9.el8.x86_64.rpm
• rsa-nw-logdecoder-12.5.1.0-12978.5.d0e8470c9.el8.x86_64.rpm

Solution:

If the build numbers match the version on you’re system, then it is already patched. If upgrading to 12.5.1, this is the latest build and applying this will remove the extended meta feature.

Scenario 2: Install/upgrade 12.5.0

• The feature is present but not enabled by default.
• The extended meta keys are configured in the network and log decoder index files (index-decoder-*.xml or index-logdecoder-*.xml) using the attribute maxValueLength. For example,

<key description="Querystring" name="query" format="Text" level="IndexKeys" maxValueLength="4096" />

Solution:

• To avoid using the feature, refrain from adding the attribute or remove the attribute maxValueLength="xxxx" from any lines that contain it.

Note: Here, xxxx could be any number.

• If you have made any changes to the index files, restart the network decoder(s) and/or log decoder(s) services where the index files were adjusted for change(s) to take effect.
• If you have already enabled Extended Meta, to avoid concentrators and archivers from crashing, when issuing a query use a time range 15 mins from the time the network and/or log decoder services restarted in the previous step.

Scenario 3: Customers already on 12.5.1

Note: If the checksum of the downloaded 12.5.1 zip file is 7e6732c8e3cf31459bc5f174a68fc38d6cb1a8991fc64ac9c189a0161c9ec841, extract the files and verify the build number matches with any of the following. The following scenario is applicable only if the build number matches with one of the following.

• rsa-nw-decoder-12.5.1.0-12972.5.5bc8e1053.el8.x86_64.rpm
• rsa-nw-logdecoder-12.5.1.0-12972.5.5bc8e1053.el8.x86_64.rpm

Solution:

Apply Hotfix

• The feature is enabled by default for the following five meta keys: event.desc, param.src, param.dst, url, query.
• Request hotfix from NetWitness customer support
• Follow installation instructions in the hotfix readme file
• The hotfix reverts the five meta keys and disables the Extended Meta feature. If the extended meta was configured for any additional meta keys in the index file, these manual steps must be followed to ensure the services start up as intended.
• The extended meta keys are configured in the network and log decoder index files (index-decoder-*.xml or index-logdecoder-*.xml) using the attribute maxValueLength. For example, <key description="Querystring" name="query" format="Text" level="IndexKeys" maxValueLength="4096" />
• Remove the attribute maxValueLength="xxxx" from any lines that contain it.

Note: Here, xxxx could be any number.

• Restart the network decoder(s) and/or log decoder(s) services where the index files were adjusted for change(s) to take effect.
• If you already have extended metadata in the index, to avoid concentrators and archivers from crashing, when issuing a query use a time range 15 mins from the time the network and/or log decoder services restarted in the previous step.

Please contact your local NetWitness Sales Representative or NetWitness Customer Support if there are any questions or concerns.