.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Issue
After an upgrade to 10.5.X, a "Failed to add Application Rule". error is thrown when attempting to add a new application rule to an SA decoder, as seen in the screenshot below:
On the SA server, in the /var/lib/netwitness/uax/sa.log, a snip of the error captured with a tail -f while attempting to add the new rules:
2016-01-19 21:24:55,472 [qtp684874119-1913] ERROR com.rsa.smc.sa.nextgen.service.DefaultContentRuleService - Failed to save rule changes for service MYDECODER - Decoder
com.rsa.smc.sa.common.exception.MessagingException: Failed to process message replace for /decoder/config/rules/application com.rsa.netwitness.carlos.transport.TransportException: Value range supplied as REGEX pattern
at com.rsa.smc.sa.core.service.impl.CarlosCoreMessageService.getMessageResponse(CarlosCoreMessageService.java:847)
On the decoder, a tail of /var/log/messages throws 2 distinct errors, 1 type clearly indicates which rule has failed and why, however the other error type is far more perplexing:
Error 1 from messages tail:
NwDecoder[3026]: [RulesEngine] [warning] Rule "<rule name>"' in deprecated format. Please make sure all text values are surrounded with quotes.
Where:
Error 2 from the messages tail:
NwDecoder[3026]: [RulesEngine] [warning] Rule '' in deprecated format. Please make sure all text values are surrounded with quotes.
Cause
10.5 introduced new functionality which prevents deprecated or incorrect rules to be added to the existing app rules.While this works as expected with 10.5 and causes no repercussions, when an upgrade is performed, and when new rules are added, all previously added rules are also checked for issues.
If there are issues, no new rules can be added until the existing rules are corrected.
Resolution
For "Error 1" type, those clearly indicated by name in /var/log/messages:
a. Validate each rule for syntax, nothing that validation errors are thrown, only a "deprecated rule" message will appear in /var/log/messages for the rule name.
b. Insure that all text strings are surrounded by single quotation marks. Also note that rules that contain syntax issues will also appear with the same error message. No validation errors are thrown, only a "deprecated rule" message will appear.
b. Insure that all text strings are surrounded by single quotation marks. Also note that rules that contain syntax issues will also appear with the same error message. No validation errors are thrown, only a "deprecated rule" message will appear.
For "Error 2" type: This error is quite elusive and gives no details of the reason why the rule failed. If this error appears, there are additional rules in the configuration that reference the named rule, in other words, a nested rule. To identify nested rules, do the following:
a. Export the current rules from the UI to a nwr file by doing the following:
Administration->Services, click on the Red gear to the right of the service, and select View->config
Select the "App Rules" tag
Select the "Actions" Tab as shown from the screenshot below
Administration->Services, click on the Red gear to the right of the service, and select View->config
Select the "App Rules" tag
Select the "Actions" Tab as shown from the screenshot below
b. This will generate a .nwr file name, save it to your PC or unix workstation. Note Windows notepad cannot be used for this activity due to its inability to recognize the .nwr line formatting. Use EMACS, Notepad++ or GVIM, or native vi on a Mac. If on a unix workstation, the file can be read using vi or nano.
c.Open the .nwr file using the editor (as outlined in step 2) and find all embedded references to any failed rules that are called out by name specifically (Error 1 rules).
c.Open the .nwr file using the editor (as outlined in step 2) and find all embedded references to any failed rules that are called out by name specifically (Error 1 rules).
3. Locate all instances of the named failed rules, paying particular attention to finding nested instances of failed named rules. Alternately, if using cygwin on your desktop, you can grep -i all instances of the failed rules.
4. Correct the identified failed (the named rules, or "Error 1" rules) and apply.
5. Once the corrected rules load successfully and are applied, the nested rules can then be re-applied one at a time.
Internal Comments
Cindy Celata -- 29 Jan 2016THIS ARTICLE IS INTERNAL ONLY.
This is a pretty nasty usability issue, although functioning as designed, and debugging this is difficult, as it is very time consuming to identify which rules are causing the "null" fault.
I consider this to be only a workaround. The process of cleaning the rules up is very cumbersome, very time consuming and manual.
See linked RFE. Should you encounter this issue, add customers encountering this issue to the report so it gets more visibility with DEV.
Product Details
RSA Product Set: Security AnalyticsRSA Product/Service Type: Decoder
RSA Version/Condition: 10.5.x
Platform: CentOS
O/S Version: EL6
Summary
This article details troubleshooting steps when application rules, which previously loaded without issue prior to an upgrade to 10.5.X, begin failing to load after the upgrade to 10.5.X
Approval Reviewer Queue
ASOC Approval Group