NetWitness Platform Online Documentation

Browse the official NetWitness Platform Online documentation for helpful tutorials, step-by-step instructions, and other valuable resources.

Options

Subscribe to RSS Feed

Bookmark

Subscribe

Printer Friendly Page

Report Inappropriate Content

Versions

Collections

All Downloads

Table of Contents

Known Issues for NetWitness Export Connector

Com- ponents	Title, Problem & Workaround	Found In / Exists In	Fixed Version	Track- ing Number
NetWitness Export Connector	Title: Position tracking is not updated properly when query is used to filter the sessions. Problem: Last session.id aggregated is not updated to the latest aggregated ID but is updated only to the last filtered session retrieved. For Example, If a decoder has 1000 sessions, and only first 800 sessions match the filter, the last.session.id in the position tracking shows 800 even though all 1000 sessions are processed. This does not cause any data loss but if the Logstash service is restarted, aggregation will begin from 801 session.id, processing the 200 sessions again. Workaround: None	netwitness-export-connector-1.0.0		ASOC-101795
NetWitness Export Connector	Title: Consumer does not consume all the events after the Logstash service is restarted. Problem: While running at a high EPS or if there is a large session behind, the NetWitness Export Connector aggregates the sessions of the decoders. The Logstash pipeline sends to the output plugin which in turn sends it out to the consumer. At this point, if a Logstash service is stopped or restarted, the Logstash pipeline ensures the data is sent out of the output plugin to the consumer, however all the sessions are not consumed by the consumer. This leads to data loss on the consumer end even though Logstash has sent out all the data. Workaround: Update the start_session parameter in the Logstash configuration file (netwitness-<decoder-ip>-input.conf) by referring to the latest received session.id on Kafka or any other consumer used.	netwitness-export-connector-1.0.0	netwitness-export-connector-1.1.0	ASOC-102440
NetWitness Export Connector	Title: Position tracking not saved for some Decoder sources after sometime in a multiple sources configuration. Problem: When aggregating data from multiple sources in a single Logstash instance, after a period of time, the position tracking thread fails for some or all of the sources gradually and stops tracking the position (bookmarking) for those sources. Workaround: None	netwitness-export-connector-1.0.0	netwitness-export-connector-1.1.0	ASOC-102411
NetWitness Export Connector	Title: Unable to start session aggregation from first.session.id of Decoder when it is not 1. Problem: If the Decoder has the first.session.id other than 1, which means the Decoder has data that has rolled over, the NetWitness Export Connector's start_session parameter will not start aggregation from that value, instead it would begin from the last.session.id. Workaround: Add 1 to the value to the start_session parameter and the aggregation would start as expected dropping the first session only. For example, if first.session.id on a Decoder is '1105000' add 1 to it and set the value of the start_session parameter as '1105001'.	netwitness-export-connector-1.0.0	netwitness-export-connector-1.1.0	ASOC-101951

On this page