RSA NetWitness troubleshooting

February 27, 2024

ID 171577

This section lists actions that you can undertake and problems that you might encounter while integrating Kaspersky CyberTrace with RSA NetWitness.

If you encounter a problem while using Kaspersky CyberTrace, the specialists at Kaspersky can assist you. Contact your Technical Account Manager (TAM) for more information about solutions to problems.

Checking whether events arrive from RSA NetWitness at Kaspersky CyberTrace Service

There are several ways to check whether RSA NetWitness sends events to Kaspersky CyberTrace Service:

  • You can check whether the Kaspersky CyberTrace Service log files contain messages about arriving of events from RSA NetWitness.

    In this case the Kaspersky CyberTrace Service logging configuration file (bin/kl_feed_service_log.conf) must contain the dbg string in the WriteLog element.

  • You can use the netcat utility to send events from the computer on which RSA NetWitness is installed and then check whether the corresponding messages are added to the Kaspersky CyberTrace Service log files.
  • You can stop Kaspersky CyberTrace Service and use the netcat utility to listen for events from RSA NetWitness by running the following command:

    nc -l -p [port] -s [IP]

    Here [IP] and [port] are the IP address and port to which RSA NetWitness sends events for Kaspersky CyberTrace Service.

  • You can use the tcpdump utility to listen on the port where events from RSA NetWitness must arrive.

    The tcpdump utility listens on port [port] if you run the utility by using the following command:

    tcpdump -neX port [port]

    Note that the tcpdump utility may use a different flag (not -neX) depending on the operating system it runs on.

If no event arrives from RSA NetWitness, check the following:

  • Check whether all steps listed in section "Forwarding events from RSA NetWitness" are performed correctly.
  • Check whether the events arrive at RSA NetWitness from the source device.

    You can check it in the same way as you check whether RSA NetWitness sends events to Kaspersky CyberTrace Service.

  • Check that the computer on which Kaspersky CyberTrace Service is installed is accessible from the computer on which RSA NetWitness is installed.

    You can check it by using the ping utility.

Checking whether Kaspersky CyberTrace Service matches events against Kaspersky Threat Data Feeds

Use the Kaspersky CyberTrace Service log files to check whether the URL fields, hash fields, and IP address fields of events are matched against Kaspersky Threat Data Feeds. The log files must contain messages like those provided in the following example.

2016/07/25 20:16:30.162 DBG 0x7f99a6999700 UrlMatchingEngine. Normalized url: http://dbotnet.com/get.php?id=2&p=4

2016/07/25 20:16:30.162 DBG 0x7f99a6999700 FeedMatcher. http://dbotnet.com/get.php?id=2&p=4' is not detected for RE_URL 'Botnet_CnC_URL_Data_Feed.json'

2016/07/25 20:16:30.164 DBG 0x7f99a799b700 UrlMatchingEngine. Normalized url: http://botnet_domain_19.botnet_domain.com

2016/07/25 20:16:30.164 INF 0x7f99a799b700 FeedMatcher. Detect http://botnet_domain_19.botnet_domain.com' for RE_URL 'Botnet_CnC_URL_Data_Feed.json'

2016/07/25 20:16:30.164 INF 0x7f99a799b700 Category: KL_BotnetCnC_URL

If there are no such messages in the log files, check whether the Kaspersky CyberTrace Service configuration file contains the correct regular expressions. You can also check the used regular expressions by using Kaspersky CyberTrace Web.

Checking whether Kaspersky CyberTrace Service sends events to RSA NetWitness

You can check whether Kaspersky CyberTrace Service sends events to RSA NetWitness in the following ways:

  • By consulting Kaspersky CyberTrace Service log files.

    Following is an example of messages written to the log when an event is successfully sent to RSA NetWitness.

2020/05/20 17:09:12.987 INF 26341 siem New notification: KL_ALERT_UpdatedFeed --- parameters: [ 'feed': 'Blocklist.de_BlockIP.json', 'records': '35187' ]

2020/05/20 17:09:12.987 INF 26341 siem New notification: KL_ALERT_UpdatedFeed --- parameters: [ 'feed': 'Blocklist.de_BlockIP.json', 'records': '35187' ]

2020/05/20 17:09:12.987 DBG 26341 siem Connecting to '127.0.0.1:9998'

2020/05/20 17:09:12.987 DBG 26341 siem Sending notification KL_ALERT_UpdatedFeed

2020/05/20 17:09:12.987 DBG 26341 siem Notification KL_ALERT_UpdatedFeed has been sent successfully

Following is an example of a message written to the log when an event could not be sent to RSA NetWitness.

2020/05/20 17:09:12.987 DBG 26341 siem Failed to send notification KL_ALERT_FailedToUpdateFeed (error: 0x80000072 (Unknown exception))

  • By using the tcpdump utility on the computer that receives events from Kaspersky CyberTrace Service.

    The tcpdump utility listens on the IP address [IP] and port 514 if you run the utility by using the following command:

    tcpdump -neX src [IP] and port 514

    In this command specify the IP address at which Kaspersky CyberTrace Service sends events.

    Note that the tcpdump utility may use a different flag (not -neX) depending on the operating system it runs on.

If Kaspersky CyberTrace Service sends no event, check the following:

  • Check that the Kaspersky CyberTrace Service log files contain messages about detecting URLs, hashes, or IP addresses.

    If there are no such messages, see the information in subsection "Checking whether Kaspersky CyberTrace Service matches events against Kaspersky Threat Data Feeds". It may also be that the feeds do not contain checked URLs, hashes, and IP addresses.

  • Check that the Kaspersky CyberTrace Service configuration file contains the correct destination IP address and port.

Problem: RSA NetWitness does not display events from Kaspersky CyberTrace Service

If RSA NetWitness displays no events from Kaspersky CyberTrace Service, check whether the procedure in section "Step 2. Sending events from Kaspersky CyberTrace Service to RSA NetWitness" is performed correctly.

Note that RSA NetWitness may display events from a device with a delay of 10 minutes.

Problem: The configurator displays an error message when the IP address and port of Log Decoder are specified in the OutputSettings > ConnectionString setting.

An error message like the following can be displayed:

Can't connect using the specified string. Press [Enter] to specify another string, or type "ok" to continue with 10.10.0.127:514

Check that the computer on which RSA NetWitness is installed is accessible from the computer on which Kaspersky CyberTrace Service is installed (for example, by using the ping utility).

Problem: Some fields of events from Kaspersky CyberTrace Service are not displayed in the metafields in RSA NetWitness

If some fields of events from Kaspersky CyberTrace Service are not displayed in the metafields in RSA NetWitness, do the following:

  • Check whether the metafields mentioned in the v20_cybertracemsg.xml configuration file have their flags parameter set to None in the /etc/netwitness/ng/envision/etc/table-map-custom.xml configuration file.

    If these fields are absent from table-map-custom.xml, add them as follows:

    <mapping envisionName="url" nwName="url" flags="None" format="Text" envisionDisplayName="URL"/>

  • Check whether all the fields described in section "Forwarding events from RSA NetWitness" are contained in the following configuration files:
    • index-logdecoder-custom.xml (if you do not use Concentrator)
    • index-concentrator-custom.xml

    You can browse the contents of these files by selecting Administration > Services. Then select Concentrator (or Log Decoder), click the Settings split button (Settings split button in RSA NetWitness.), and select View > Config > Files. A drop-down list is displayed that contains all these files.

    After you have edited the files, restart Log Decoder or Concentrator so that the new settings will be in place.

    Update only the configuration file of Concentrator (index-concentrator-custom.xml) if both Log Decoder and Concentrator are used, Concentrator receives data from Log Decoder, and Log Decoder receives events from Kaspersky CyberTrace Service. Also, you can leave the configuration file of Log Decoder (index-logdecoder-custom.xml) unchanged if you do not use Log Decoder as the source of data in which you search for events or if you do not use Log Decoder to create reports or dashboards.

    If the configuration files do not contain necessary fields, add these fields as described at https://community.rsa.com/docs/DOC-41760. For example, the index-concentrator-custom.xml file must contain the following lines:

    <key description="virusName" format="Text" level="IndexValues" name="virusname" defaultAction="Open" />

    <key description="user.src" format="Text" level="IndexValues" name="user.src" defaultAction="Open" />

    <key description="ip.src" format="IPv4" level="IndexValues" name="ip.src" defaultAction="Open"/>

    <key description="action" format="Text" level="IndexValues" name="action" defaultAction="Open" />

    <key description="msg" format="Text" level="IndexKeys" name="msg" defaultAction="Open" />

    <key description="event.source" format="Text" level="IndexValues" name="event.source" defaultAction="Open" />

    <key description="device.ip" format="IPv4" level="IndexValues" name="ip.dst" defaultAction="Open"/>

    <key description="ip.dst" format="IPv4" level="IndexValues" name="ip.dst" defaultAction="Open"/>

    <key description="url" format="Text" level="IndexValues" name="url" defaultAction="Open"/>

    <key description="checksum" format="Text" level="IndexValues" name="checksum" defaultAction="Open"/>

Make sure that the values of the name and format fields in the configuration files are equal to the values of the nwName and format fields, respectively, in the table-map-custom.xml file.

Problem: After the Kaspersky CyberTrace dashboard is imported, no data is displayed

A dashlet displays an error message instead.

CyberTrace Detects Statistic dashlet in RSA NetWitness. No data displayed.

Dashlet displays no data

To fix this error, reconfigure the dashlet as follows:

  1. In the top right area of the dashlet, click the Settings button.

    CyberTrace Detects Statistic dashlet in RSA NetWitness. Settings (gear) button.

    The Settings button

    The Options window opens.

  2. Click Browse.

    Options window in RSA NetWitness. Browse button.

    Dashlet parameters

    The Select Chart window opens.

  3. Select the chart to be used in the dashlet.

    Select Chart window in RSA NetWitness. Selecting a chart.

    Selecting a chart

  4. Click Apply.

    Options window in RSA NetWitness. Apply button.

    The Apply button

Problem: Feed Utility displays the "peer certificate cannot be authenticated with given CA certificates" error message

The certificate cannot be authenticated. Make sure that root certificates are installed on your system. If root certificates are not installed, install them using a standard procedure for installing root certificates on your operating system.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.