.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
UI Performance impact when CSV file is inaccessible for a remote feed in the Netwitness Suite
Issue
On the NW UI server the Jetty web server will throw a NullPointerException if a feed file cannot be reached, which can be seen in /var/netwitness/uax/sa.log and will resemble:
2024-12-04 11:19:58,028 [org.springframework.scheduling.quartz.SchedulerFactoryBean#0_Worker-4] INFO com.rsa.smc.sa.live.job.quartz.RecurringFeedJob - The in
put stream to JobFileStore for Recurring Feed Job
2024-12-04 11:19:58,055 [org.springframework.scheduling.quartz.SchedulerFactoryBean#0_Worker-4] ERROR com.rsa.smc.sa.core.service.DefaultHttpClientService - h
ttps://siemautomation.company.com/feeds/WineventidAuditing.csv
java.net.UnknownHostException: siemautomation.company.com: Name or service not known
at java.base/java.net.Inet6AddressImpl.lookupAllHostAddr(Native Method)
at java.base/java.net.InetAddress$PlatformNameService.lookupAllHostAddr(InetAddress.java:934)
at java.base/java.net.InetAddress.getAddressesFromNameService(InetAddress.java:1543)
at java.base/java.net.InetAddress$NameServiceAddresses.get(InetAddress.java:852)
at java.base/java.net.InetAddress.getAllByName0(InetAddress.java:1533)
at java.base/java.net.InetAddress.getAllByName(InetAddress.java:1385)
at java.base/java.net.InetAddress.getAllByName(InetAddress.java:1306)
at org.apache.http.impl.conn.SystemDefaultDnsResolver.resolve(SystemDefaultDnsResolver.java:45)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:112)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at com.rsa.smc.sa.core.service.DefaultHttpClientService.getContentUrl(DefaultHttpClientService.java:68)
at com.rsa.smc.sa.live.job.quartz.RecurringFeedJob.getCsvOrFeedFile(RecurringFeedJob.java:461)
at com.rsa.smc.sa.live.job.quartz.RecurringFeedJob.prepareForJobExecution(RecurringFeedJob.java:333)
at com.rsa.smc.sa.live.job.quartz.RecurringFeedJob.executeJob(RecurringFeedJob.java:535)
at com.rsa.netwitness.carlos.scheduling.jobs.AbstractJob.execute(AbstractJob.java:61)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
2024-12-04 11:19:58,055 [org.springframework.scheduling.quartz.SchedulerFactoryBean#0_Worker-4] ERROR com.rsa.smc.sa.live.job.quartz.RecurringFeedJob - Failed to access file
put stream to JobFileStore for Recurring Feed Job
2024-12-04 11:19:58,055 [org.springframework.scheduling.quartz.SchedulerFactoryBean#0_Worker-4] ERROR com.rsa.smc.sa.core.service.DefaultHttpClientService - h
ttps://siemautomation.company.com/feeds/WineventidAuditing.csv
java.net.UnknownHostException: siemautomation.company.com: Name or service not known
at java.base/java.net.Inet6AddressImpl.lookupAllHostAddr(Native Method)
at java.base/java.net.InetAddress$PlatformNameService.lookupAllHostAddr(InetAddress.java:934)
at java.base/java.net.InetAddress.getAddressesFromNameService(InetAddress.java:1543)
at java.base/java.net.InetAddress$NameServiceAddresses.get(InetAddress.java:852)
at java.base/java.net.InetAddress.getAllByName0(InetAddress.java:1533)
at java.base/java.net.InetAddress.getAllByName(InetAddress.java:1385)
at java.base/java.net.InetAddress.getAllByName(InetAddress.java:1306)
at org.apache.http.impl.conn.SystemDefaultDnsResolver.resolve(SystemDefaultDnsResolver.java:45)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:112)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at com.rsa.smc.sa.core.service.DefaultHttpClientService.getContentUrl(DefaultHttpClientService.java:68)
at com.rsa.smc.sa.live.job.quartz.RecurringFeedJob.getCsvOrFeedFile(RecurringFeedJob.java:461)
at com.rsa.smc.sa.live.job.quartz.RecurringFeedJob.prepareForJobExecution(RecurringFeedJob.java:333)
at com.rsa.smc.sa.live.job.quartz.RecurringFeedJob.executeJob(RecurringFeedJob.java:535)
at com.rsa.netwitness.carlos.scheduling.jobs.AbstractJob.execute(AbstractJob.java:61)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
2024-12-04 11:19:58,055 [org.springframework.scheduling.quartz.SchedulerFactoryBean#0_Worker-4] ERROR com.rsa.smc.sa.live.job.quartz.RecurringFeedJob - Failed to access file
This may impact the performance of jetty (the legacy webserver).
Workaround
Restart Jetty:1. SSH as root in to your SA server
2. Run:
systemctl stop jetty
3. Run:
systemctl start jetty
Repair or remove the failed feed that cannot be accessible.
1. Click on Dashboards or Administration - Select Live and click on Feeds.
2. Check in the list of Feeds for the failed feed(s).
3. Use the select box to select the failed feed.
4. Click the edit icon and use the verify button to confirm the feed is accessible. If the feed is not accessible determine why the link to the feed is down or remove the feed by clicking on the minus delete button until you have resolved the location of the feed.
Resolution
This will be addressed in RSA Security Analytics version 10.6.3.
Internal Comments
Moving to internal because this was supposedly addressed in 10.6.3, however the process to fix could still be applied if issues are still observed.
Product Details
NetWitness Product Set: NetWitness Platform
NetWitness Product/Service Type: Node-Zero/Admin Server
NetWitness Version/Condition: 12.x
Platform: CentOS/Alma linux
Approval Reviewer Queue
Technical approval queue