Skip to content
  • There are no suggestions because the search field is empty.

Different result between Go to event in Event Reconstruction and query in RSA NetWitness Platform Investigate

Issue

In rare cases, you may see a different result between "Go to event in Event Reconstruction" and querying specific sessionid in Investigate.

Here are the details:
  1. From Investigate > "Go to event in Event Reconstruction", searching for eventID "234994693505", you are able to see the result as shown below.
    User-added
  2. From Investigate > "Go to event in Event Analysis", searching for eventID "234994693505", but it displays an error message as shown below.
    User-added
  3. When using query "sessionid=234994693505", it displays "No data to display" as shown below.
    User-added
  4. From Broker-explore-sdk deviceId, it displays "No device mapping exists".
    User-added
  5. When exporting pcap this session, its actual size is 0byte.
    User-added
     
In summary, this problematic session only can be retrieved via "Go to event in Event Reconstruction".

Cause

Sometimes the Broker can complain about the ranges out of sync with the Index/MapDB. 
When the ranges are out of sync, you may face this problem on the investigation/events page. 
When ranges are out of sync, you are not able to query properly in the broker.

Workaround

You can try the following procedures to fix this issue.
  1. Go to the Explore page of "Broker".
  2. Right Click "Broker" node and select "Repair" from the dropdown. 
  3. Click Send. This would take a few seconds to a few minutes. 
  4. Check if the issue persists on the Broker. 
    This step would not cause any data loss. This would eventually correct the mapping in the broker. Restarting Service is not required.

But if the procedures above do not work, you need to perform the following procedures.
  1. SSH to the Broker Appliance. 
  2. Turn off the Broker Service (service nwbroker stop). Before proceeding further, check the status of the service (service nwbroker status). The status should not be deactivating / running / active.
  3. Go to the Folder: "/var/netwitness/broker/index" 
    • Map DB files would be present.
  4. Backup the Files in this folder to any backup location.
    • Make Directory "mkdir /root/broker-mapdb/" 
    • Go to the folder "/var/netwitness/broker/index" 
    • Move all the files "mv * /root/broker-mapdb/ -vv"
    • Check if all the files are moved to the backup location.
  5. Start the Broker Service. 
  6. Post starting the service, remove, and re-add the devices in the Broker Configurations.
    *Note: Back up process is very important. If there is any issue in regeneration, only recovery process is to restore the backed up files.
     
Once done, you are now able to query via "Go to event in Event Reconstruction" with problematic sessionid which means it syncs with the Index/MapDB in the broker.

Product Details

RSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.3.2.0
Platform: CentOS
O/S Version: 7

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue