RSA NetWitness troubleshooting

This section lists actions that you can undertake and problems that you might encounter while integrating Kaspersky CyberTrace with RSA NetWitness.

If you encounter a problem while using Kaspersky CyberTrace, the specialists at Kaspersky can assist you. Contact your technical account manager (TAM) for more information about solutions to problems.

Checking whether events arrive from RSA NetWitness at Feed Service

There are several ways to check whether RSA NetWitness sends events to Feed Service:

If no event arrives from RSA NetWitness, check the following:

Checking whether Feed Service matches events against Kaspersky Threat Data Feeds

Use the Feed Service log files to check whether the URL fields, hash fields, and IP address fields of events are matched against Kaspersky Threat Data Feeds. The log files must contain messages like those provided in the following example.

2016/07/25 20:16:30.162 DBG 0x7f99a6999700 UrlMatchingEngine. Normalized url: http://dbotnet.com/get.php?id=2&p=4

2016/07/25 20:16:30.162 DBG 0x7f99a6999700 FeedMatcher. http://dbotnet.com/get.php?id=2&p=4' is not detected for RE_URL 'Botnet_CnC_URL_Data_Feed.json'

2016/07/25 20:16:30.164 DBG 0x7f99a799b700 UrlMatchingEngine. Normalized url: http://botnet_domain_19.botnet_domain.com

2016/07/25 20:16:30.164 INF 0x7f99a799b700 FeedMatcher. Detect http://botnet_domain_19.botnet_domain.com' for RE_URL 'Botnet_CnC_URL_Data_Feed.json'

2016/07/25 20:16:30.164 INF 0x7f99a799b700 Category: KL_BotnetCnC_URL

If there are no such messages in the log files, check whether the Feed Service configuration file contains the correct regular expressions. You can also check the used regular expressions by using Kaspersky CyberTrace Web.

Checking whether Feed Service sends events to RSA NetWitness

You can check whether Feed Service sends events to RSA NetWitness in the following ways:

2016/07/25 20:16:09.240 INF 0x7f99aa7a4700 SiemAlert Connect to 10.70.77.3:9998

2016/07/25 20:16:09.241 INF 0x7f99aa7a4700 SiemAlert Connected successfully

2016/07/25 20:16:09.241 INF 0x7f99aa7a4700 SiemAlert Alert message: KL_ALERT_UpdatedFeed

2016/07/25 20:16:09.241 INF 0x7f99aa7a4700 SiemAlert Prepare message to send

2016/07/25 20:16:09.241 INF 0x7f99aa7a4700 SiemAlert Send message

2016/07/25 20:16:09.241 INF 0x7f99aa7a4700 Close connection

For Kaspersky CyberTrace 3.1 and above:

2020/05/20 17:09:12.987 INF 26341 siem New notification: KL_ALERT_UpdatedFeed --- parameters: [ 'feed': 'Blocklist.de_BlockIP.json', 'records': '35187' ]

2020/05/20 17:09:12.987 INF 26341 siem New notification: KL_ALERT_UpdatedFeed --- parameters: [ 'feed': 'Blocklist.de_BlockIP.json', 'records': '35187' ]

2020/05/20 17:09:12.987 DBG 26341 siem Connecting to '127.0.0.1:9998'

2020/05/20 17:09:12.987 DBG 26341 siem Sending notification KL_ALERT_UpdatedFeed

2020/05/20 17:09:12.987 DBG 26341 siem Notification KL_ALERT_UpdatedFeed has been sent successfully

Following is an example of a message written to the log when an event could not be sent to RSA NetWitness.

For Kaspersky CyberTrace 3.0 and below:

2016/07/27 18:27:25.241 ERR 0x7f545cb12700 Failed to notify siem: Connection failed

For Kaspersky CyberTrace 3.1 and above:

2020/05/20 17:09:12.987 ERR 26341 siem Failed to send notification KL_ALERT_FailedToUpdateFeed (error: 0x80000072 (Unknown exception))

If Feed Service sends no event, check the following:

Problem: RSA NetWitness does not display events from Feed Service

If RSA NetWitness displays no events from Feed Service, check whether the procedure in section "Step 2. Sending events from Feed Service to RSA NetWitness" is performed correctly.

Note that RSA NetWitness may display events from a device with a delay of 10 minutes.

Problem: The configurator displays an error message when the IP address and port of Log Decoder are specified in the OutputSettings > ConnectionString setting.

An error message like the following can be displayed:

Can't connect using the specified string. Press [Enter] to specify another string, or type "ok" to continue with 10.10.0.127:514

Check that the computer on which RSA NetWitness is installed is accessible from the computer on which Feed Service is installed (for example, by using the ping utility).

Problem: Some fields of events from Feed Service are not displayed in the metafields in RSA NetWitness

If some fields of events from Feed Service are not displayed in the metafields in RSA NetWitness, do the following:

Make sure that the values of the name and format fields in the configuration files are equal to the values of the nwName and format fields, respectively, in the table-map-custom.xml file.

Problem: After the Kaspersky CyberTrace dashboard is imported, no data is displayed

A dashlet displays an error message instead.

Dashlet displays no data

To fix this error, reconfigure the dashlet as follows:

  1. In the top right area of the dashlet, click the Settings button.

    The Settings button

    The Options window opens.

  2. Click Browse.

    Dashlet parameters

    The Select Chart window opens.

  3. Select the chart to be used in the dashlet.

    Selecting a chart

  4. Click Apply.

    The Apply button

Problem: Feed Utility displays the "peer certificate cannot be authenticated with given CA certificates" error message

The certificate cannot be authenticated. Make sure that root certificates are installed on your system. If root certificates are not installed, install them using a standard procedure for installing root certificates on your operating system.

Page top