DNS no longer resolves short name for event sources after RSA NetWitness Platform 11.2 and higher upgrade causing logon failure to these sources

Issue

Active Directory failing to connect to event sources after 11.2 and higher upgrade.

Once the 11.2 and higher upgrade has been completed, it moved the contents of the /etc/resolv.conf to the /etc/netwitness/platform/resolv.dnsmasq and the UI server (Node-Zero) started acting as a DNS proxy server. All other devices have the /etc/resolv.conf that now points to Node-Zero as the DNS Server.

Cause

In version 11.2 and higher, we changed the architecture to create Node-Zero as a DNS Proxy server. Currently, the DNS proxy does not resolve short names.

Workaround

Ensure that the /etc/resolv.conf is the same across all systems, the correct one is located on UI Server (Node-Zero) in the /etc/netwitness/platform/resolv.dnsmasq. Use this as the example to place the same information for all system.

Resolution

In order to resolve this issue, replace the /etc/resolv.conf with the correct information that can be found on node-zero in the /etc/netwitness/platform/resolv.dnsmasq

Note: 11.3 update makes resolv.conf as immutable. Hence, Step1 applicable for 11.3 environment only.

1. Please make resolv.conf file mutable using chattr -i /etc/resolv.conf
2. Move current DNS setting into backup file using mv /etc/resolv.conf /etc/resolv.conf_old
3. Run cp /etc/netwitness/platform/resolv.dnsmasq /etc/resolv.conf command to restore dns settings.
4. Use the same /etc/resolv.conf made in Step3 for the other NetWitness devices.

Note: Log collectors will need to have the collection services that are restarted if using short name lookup for WinRM.

Product Details

RSA Product Set: NetWitness Platform
RSA Product/Service Type: NetWitness Platform
RSA Version/Condition: 11.2, 11.3

Summary

With the 11.2 and 11.3 upgrade, the UI Head (Node-zero) acts as a DNS server relay.

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue