.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
RSA NetWitness Endpoint agent not being assigned a policy
Issue
This issue happens on agent (windows server) has more than 3 IP addresses defined.NetWitness Endpoint Agent cannot get policy from Endpoint LogHybrid, although there is no communication issue.
Cause
If more than 3 IP addresses defined on the agent, there is issue that agent sends a list of IP addresses which is malformed.With trace/debug logs, following event is logged.
30 01h07:55.326 (4940) GetDataNetworkAdapterVista: Found Adapter Intel(R) 82574L Gigabit Network Connection
30 01h07:55.357 (4940) ** return 0 at GetDataNetworkAdapter.c(78), error 0
30 01h07:55.388 (4940) ** continue at GetDataNetworkAdapter.c(246), error 0
30 01h07:55.404 (4940) GetDataNetworkAdapterVista: Output of adapter with IPv4 10.218.240.160; 10.218.240.178; 10.218.240.179; 10.218.240..8.., IPv6 fe80::d8a6:10b1:dd56:bcc6
30 01h07:55.357 (4940) ** return 0 at GetDataNetworkAdapter.c(78), error 0
30 01h07:55.388 (4940) ** continue at GetDataNetworkAdapter.c(246), error 0
30 01h07:55.404 (4940) GetDataNetworkAdapterVista: Output of adapter with IPv4 10.218.240.160; 10.218.240.178; 10.218.240.179; 10.218.240..8.., IPv6 fe80::d8a6:10b1:dd56:bcc6
When evaluating a group policy for the same on the Endpoint-Server side, we run into the same malformed ip list and fail to create a policy for this agent's get policy request.
2020-05-30 01:09:47,511 [ https-jsse-nio-7050-exec-9] DEBUG EndpointManagement|Machine data persistence started for 33C3484B-3464-AACF-63E7-42CBBC3057ED with scan time Sat May 30 01:06:16 UTC 2020
2020-05-30 01:09:47,558 [ https-jsse-nio-7050-exec-9] DEBUG EndpointManagement|Exception while evaluating group-policy for revision 110
java.lang.IllegalArgumentException: '10.218.240..8..' is not an IP string literal.
2020-05-30 01:09:47,558 [ https-jsse-nio-7050-exec-9] DEBUG EndpointManagement|Exception while evaluating group-policy for revision 110
java.lang.IllegalArgumentException: '10.218.240..8..' is not an IP string literal.
Workaround
To workaround this issue, following steps can be performed.- Delete agent from NetWitness UI > Investigate > HOSTS page
- Edit network configuration on agent to have only 3 IP addresses.
- Uninstall and re-install agent.
- Verify new host is populated in NetWitness UI > Investigate > HOSTS page, with policy assigned.
- Edit network configuration on agent to add additional IP addresses.
Resolution
This issue is under review by engineering to determine the code fix.
Product Details
RSA Product Set: RSA NetWitness PlatformRSA Product/Service Type: Endpoint Server
RSA Version/Condition: 11.4.x
Approval Reviewer Queue
RSA NetWitness Suite Approval Queue