Recurring Identity feed is not working when using the hostname or IP address of the Log Collector service in NetWitness

Issue

When setting up identity feed with Log Collector using HTTPS and using the hostname or IP address of the Log Collector service, the identity feed is not working due to a certificate validation failure.

The error message below is found in the /var/lib/netwitness/uax/logs/sa.log file.

Workaround

There are currently two approaches to work around this:

• Import log collector cert as documented in the Product Documentation
• Change the URL of Log Collector to use the node_id and add static mapping of node_id to IP in /etc/hosts of SA server (as shown below)

Perform the following steps for the second approach above:

1. Connect to the Security Analytics server appliance via SSH as the root user.
2. Navigate to /etc/hosts/ and map the node_id of the host to the appliance IP address.
3. In the NetWitness UI, select Live > Feeds.
4. In the Feeds view, click Add.
5. In the Setup Feed dialog, select Identity Feed and click Next.
6. In the Define Feed tab, select Recurring.
7. In the URL field, enter the node_id of the host as the hostname.

   For example, use of 1n702df2-5891-4e9g-9323-4f492a8556fd instead of 10.11.12.13.

8. In the Select Services form, select the Services on which feed is to be deployed and click Next.
9. In the Review form, review feed information and if correct, click Finish.

Resolution

Works as designed.

Notes

Normal instructions for setting up Identity Feed can be found in the product documentation.

Product Details

RSA Product Set: NetWitness Logs & Packets, Security Analytics
RSA Product/Service Type: Log Collector, User Interface, Identity Feed
RSA Version/Condition: 10.6.x, 11.x, 12.x
Platform: CentOS, AlmaLinux
O/S Version: EL6, EL7

Summary

Administration Identity Feed.

Approval Reviewer Queue

Technical approval queue