Skip to content
  • There are no suggestions because the search field is empty.

NetApp logs coming with No description string found in raw logs in NetWitness

Issue

NetApp Event source configured using  Network Appliance Data ONTAP Event Source Configuration Guide. But, raw logs in the Investigate page shows as below.
 
<4> Wed Dec 11 07:18:53 2019 ABC NetApp: RealSource:"ABC" [BCD] Wed Dec 11 07:18:53 2019: /NetApp-Security-Auditing/ABC/NetApp-Security-Auditing (4656) - " No description string found. string-data=[3.4.5.6 <~> <~> S-1-5-21-266749940-1637964444-929701000-2791645 <~> false <~> CDF <~> BCDE <~> Security <~> File <~> 00000000000bb1;00;00a3c9be;a6be8e76 <~> (ENG);/bcde/Work/bcde/FIles from local 1/Local Z drive/ASDFG FGSDF 18Jun2019/BCDE/MATING FEATURES REVIEW/ABCDEF ROTATING/OHIS data Capture_Status E_C_L_TR_z_F_1.xlsx <~> <unknown parameter> <unknown parameter> <unknown parameter> <unknown parameter> <unknown parameter> <unknown parameter> <unknown parameter> <unknown parameter> <~> 8607 <~> Read Data; List Directory; Write Data; Add File; Append Data; Add Subdirectory; Read Extended Attributes; Write Extended Attributes; Read Attributes; Write Attributes; Read ACL; <~> Open a non-directory; ]"
<4> Wed Dec 11 07:28:02 2019 ABC NetApp: RealSource:"ABC" [BCD] Wed Dec 11 07:28:02 2019: /NetApp-Security-Auditing/ABC/NetApp-Security-Auditing (4670) - " No description string found. string-data=[3.4.5.6 <~> <~> S-1-5-21-266749940-1637964444-929701000-2662293 <~> false <~> CDF <~> Abcd.efgh <~> Security <~> File <~> 00000000000548;00;006d2c63;0ed8c50e <~> (CCDEMAGAHD);/SD_A/Prs/Potals/DPM/Report/2017/Feb/05-02-17/BKP02SynD.csv <~> O:S-1-5-21-266749940-1637964444-929701000-2122316 <~> O:S-1-5-21-266749940-1637964444-929701000-807936076]"

Cause

This issue was due to windowslegacy old content in Netwitness Local Collector.


Resolution

Please follow the below steps on Local Collector putty.
  1. Stop Collector service using the below command.
    systemctl stop nwlogcollector.service
  2. Take a backup of the existing microsoft_windows_server_2008_enterprise.zip file.
    mv /etc/netwitness/ng/logcollection/content/transform/windowslegacy/strings/microsoft_windows_server_2008_enterprise.zip /root
  3. Download WindowsLegacyContent.zip file to extract the latest microsoft_windows_server_2008_enterprise.zip file and Upload to  /etc/netwitness/ng/logcollection/content/transform/windowslegacy/strings/ directory.
  4. Start Collector service using the below command.
    systemctl start nwlogcollector.service
  5. Check whether new NetApp events do not have "No description string found" message raw event logs.

Product Details

RSA Product Set:  NetWitness Platform
RSA Product/Service Type: Local Collector
RSA Version/Condition: 11.X

Summary

This document outlines the procedure to fix No description string found errors in raw logs.


Approval Reviewer Queue

Technical approval queue