Skip to content
  • There are no suggestions because the search field is empty.

Error message Unable to drill down when drilling into meta in RSA Security Analytics

Issue

During Investigation, when trying to drill down by meta key, the error message "Unable to drill down" appears after clicking on the meta key.


Cause

This issue is likely because the "Predicate table" has become corrupted.

To confirm this, perform the same investigation using the REST port of the Concentrator with the following steps:
  1. Navigate to the following URL in a web browser:  http:// :50105/sdk/app/reports
  2. Perform an Investigation by drilling into one of the affected meta keys.
  3. Notice that there is no error message in performing the investigation.

Workaround

To resolve the issue, you must drop two tables from the database and when Security Analytics starts again it will recreate those tables.

Follow the steps below to perform the procedure.
  1. Connect to the Security Analytics server via SSH as the root user.
  2. Change directory to /tmp/jetty-0.0.0.0-443-root.war-_any/webapp/WEB-INF/lib with the command below.
    cd /tmp/jetty-0.0.0.0-443-root.war-_any/webapp/WEB-INF/lib
  3. Copy the h2-1.3.172.jar file to the /var/lib/netwitness/uax/db directory.
    cp h2-1.3.172.jar /var/lib/netwitness/uax/db/
  4. Stop the service for the Security Analytics web server.
    stop jettysrv
  5. Backup the contents of /var/lib/netwitness/uax/db to a safe location
  6. Open the platform.db file using the command below.
    java -cp ./h2-1.3.172.jar org.h2.tools.Shell -url jdbc:h2:file:platform
  7. Drop the two appropriate tables with the SQL commands below.
    drop table userpredicate;
    drop table predicate;
  8. Type exit to return to the CentOS prompt.
  9. Start the service for the Security Analytics web server again.
    start jettysrv
    NOTE: It may take up to five minutes before the Security Analytics UI is fully initialized.

After making the change above, test the issue to see if it still occurs.  If the issue persists, revert the actions by following the steps below.
  1. Stop the service for the Security Analytics web server.
    stop jettysrv
  2. Have the /var/lib/netwitness/uax/db directory contents reverted back by moving your backup of the directory back into place.
  3. Start the service for the Security Analytics web server again.
    start jettysrv
  4. Collect nwtech output from the Security Analytics Server and open an Engineering ticket for further investigation.

Internal Comments

Jeff Shurtliff -- 9/11/2015
This article is directed toward the Technical Support Engineers and is intended to be internal.

Product Details

RSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics UI
RSA Version/Condition: 10.4.1.0

Approval Reviewer Queue

ASOC Approval Group