KB Article | Forcepoint Support
Support
  1. Home
  2. Knowledgebase

Troubleshooting DLP Analytics Engine Issues

  • Article Number: 000013475
  • Products: Forcepoint DLP
  • Version: 8.7, 8.6, 8.5, 8.4
  • Last Published Date: December 01, 2020

Notes & Warnings

Note The Analytics Engine for 8.7 on the Downloads page is identical to the 8.6 version.

If the SQL database is an instance or is using a non-standard port, please confirm that the Forcepoint Management Infrastructure's SQL connection port is not left blank as seen in the installer. This can be confirmed by running a modify of the Infrastructure installer on the Management Server.

To confirm that the proper value is set, please run the following query on the SQL Server:

SELECT * FROM PA_CONFIG_PROPERTIES WHERE GROUP_NAME = 'DB_CONFIGURATION';

If this port value in Infrastructure is left blank (meaning it is automatically obtained), the value above defaults to 1433, which does not function for SQL instances.

By default, the Analytics Engine runs at the start of each day at 1 AM. In the case where the cron job was modified, this may cause reporting issues. Please refer to the following article for more information:
Incident Risk Ranking Reports Always Show 0 Cases for the Current Day

If NTLMv2 is used to connect to the SQL server, additional modifications are needed on the Analytics Engine as described in the following article:
Implementing Analytics Engine NTLMv2 Authentication

In the case where the Analytics Engine appears to be working normally but not cases are appearing, it may be the case that the Reporting settings are set to only show severe risks above a certain level.
 

Problem Description

After configuring the Analytics Engine, the Incident Risk Ranking page is not showing any data. The Incident Risk Ranking is not updating with risk cases on the DLP Dashboard.

Resolution

Note The changes below require root access. If the Forcepoint Analytics Engine OVA image was used, raise a case with Technical Support for assistance.
  1. Make sure the Analytics Engine's Fully Qualified Domain Name (FQDN) and the registered entry within System Modules is showing with the correct FQDN. Re-register the Analytics Engine to correct any mismatches with the FQDN by following the steps below:
    1. Log on to the Forcepoint DLP Manager and access the Data tab.
    2. Navigate to System Modules
    3. Select the Analytics Engine and delete it.
    4. Complete a deployment to all components
    5. Secure Shell (SSH) to the Analytics Engine.
    6. Type cd /opt/websense/AnalyticsEngine/scripts and press Enter.
    7. Type wizard and press Enter.
    8. Update the Forcepoint Management server’s IP address, username, and password.
    9. Update the SQL database server’s IP address, port, username, and password.
    10. If the Analytics Server registers successfully, you will see the following message:
Attempting to connect…
Connection succeeded.
  1. Confirm a deployment completes successfully
 
  1. Run the analytics script manually on the Analytics Engine server.
    1. SSH to the Analytics Engine as the root user.
    2. Type cd /opt/websense/AnalyticsEngine/scripts and press Enter.
    3. Type ./ae_run and press Enter.
    4. Make sure it has completed with the message below:
Evaluation started.
Evaluation completed.
Reporting started.
Reporting completed.
Runtime:[1093] seconds
Completed:[2017-04-18 18:08:23.889309]
 
  1. Check the Data Security server logs under %DSS_HOME%Logs.
    1. See if there are any errors in the Healthcheck.log like below:
2017-08-09 12:40:26,404 HealthCheck Error HTTP request to http://localhost:17515/ae-services generated error: HTTP response code was 404
2017-08-09 12:40:26,405 HealthCheck Error DSSBatchServer: Service [Analytics Engine service] URL: [http://localhost:17515/ae-services] is not alive. please validate the WAR is deployed and has no errors
2017-08-09 12:40:26,407 HealthCheck Error DSSBatchServer: restarting the DSSBatchServer
2017-08-09 12:40:26,407 HealthCheck Error Stopping process: DSSBatchServer
  1. If there are errors, try accessing http://localhost:17515/ae-services in a browser on the Forcepoint Management Server.
  2. If the URL is not reachable, compare the below container in the ae-services.xml file and the resource-repository.xml file under the webapps folder in the %JETTY_HOME%service-container\container\ directory.
<New id="PaDS" class="org.eclipse.jetty.plus.jndi.Resource">
<Arg></Arg>
<Arg>jdbc/PaDS</Arg>
<Arg>
<New class="com.jolbox.bonecp.BoneCPDataSource">
<Set name="driverClass">net.sourceforge.jtds.jdbcx.JtdsDataSource</Set>
<Set name="jdbcUrl">jdbc:jtds:sqlserver://10.50.212.39;ssl=off;databaseName=wbsn-data-security;tds=8.0;appName=wbsn-service</Set>
<Set name="username">[SQL UserName]</Set>
<Set name="password">
<Call class="com.pa.crypto.crypto.CryptorUtils" name="decrypt">
<Arg type="java.lang.String" id="password">{wsjf.4}[ENCRYPTED PASSWORD]</Arg>
<Arg type="java.lang.Integer" id="seed">811514</Arg>
<Arg type="java.lang.Integer" id="keylenght">8</Arg>
</Call>
</Set>
<Set name="minConnectionsPerPartition">5</Set>
<Set name="maxConnectionsPerPartition">20</Set>
<Set name="statementsCacheSize">100</Set>
</New>
</Arg>
</New>
  1. If the above container does not match, then correct the ae_service.xml file with the content from the resource-repository.xml file.
Note Take a backup of both files before editing.
  1. Restart the following services and confirm that they are able to start properly:
    1. Websense Data Security Batch Server
    2. Websense Data Security Manager
    3. Websense Data Security Message Broker
  2. Wait for some time to pass and check the Incident Risk Ranking again. It should update with data.



Keywords: DLP Data Security Manager; Linux Analytics Engine; Risk Ranking Report; DLP Dashboard; DLP Console Not Working; Missing Data; SQL Connection

Article Feedback



Thank you for the feedback and comments.

Want 24/7 Tech Support?

Learn more