Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > 2016 > December > 15

Per request from external teams, I experimented with the NetWitness Suite/Security Analytics 10.6.2 Upgrade in mixed-mode installation.


Case 1: SA 10.6.2 and a new host in 10.5.2


  • SA server has been upgraded from 10.6.0 to 10.6.2 using the split zip files.
  • Another host (Decoder) has been built from the 10.5.0 OVA and was upgraded to 10.5.2. 


  • SA 10.6.2 - to - Decoder 10.5.2 provisioning was successful.
  • Upgrade to 10.6.2  is available on the HOST screen and the upgrade was successful. 


Case 2: SA 10.6.2 and new host in 10.6.0


  • SA server has been upgraded to 10.6.2 using the split zip files
  • A new host (Concentrator) has been built from the 10.6.0 OVA.


  • SA 10.6.2 - to - Decoder 10.6.0 provisioning was successful.
  • The new 10.6.0 host can be upgraded using rpms in SA's repo. 


Case 3: WLC on Win2K12 and SA 10.6.0 / 10.6.2 setups


  • WLC on Win2K12 and added WLC to 10.6.0 / 10.6.2 setup and tested the functionality of LC and could see all events Concentractor


  • Upgraded to WLC -> 10.6.2 on WIN2K12 and noticed that NwLogCollector Service crash post upgrade(ASCO-27227).

PEM file issue

If you are upgrading from a new 10.6.0.x systems (from a 10.6.0 image) to 10.6.2 for the first time and you are using SMCUpdate, you must run the following command to create a PEM file.

/# touch /etc/pki/CA/certs/RSACorpCAv2.pem

This workaround has been noted in the 10.6.1 Update Instructions (page 15, Task 8) but not in the 10.6.2 Update Instructions. 

This isn't an issue if you are using 10.6.2 upgrade zip files.

The issue won't be fixed until the next image is released.


Note: Background image is Lake Assal is Djibouti. I'm dreaming of a sunny and warm place...

Working with Microsoft EventIDs ? ever use the excellent site Ultimate Windows Security to track down eventIDs ?


Here is a context menu to enable right click actions from the metakey to pivot into the website for security events.  Helps reduce the select , ctrl+c, alt+tab, ctrl+v.


administration > system > context menu


    "displayName": "[MS EventID Lookup]",
    "cssClasses": [
    "description": "",
    "type": "UAP.common.contextmenu.actions.URLContextAction",
    "version": "1",
    "modules": [
    "local": "false",
    "groupName": "externalLookupGroup",
    "urlFormat": "{0}",
    "disabled": "",
    "id": "MSEventIDLookup",
    "moduleClasses": [
    "openInNewTab": "true",
    "order": ""

Recently I had a customer who was unable to remove their Application rules from a packet decoder as part of removing the old IR 3.5 content.


If they tried to remove all the IR content rules at one time after they hit Apply the first time on the review screen where it would show what was being removed and what was to remain after the Apply button was not active.


If they tried to remove only a few rules at a time the Apply button on the review screen was active however upon reloading the Application rule tab all the deleted rules were back again.


To resolve the issue I made a backup of their Application rules and then navigated to the Explorer view of the packet decoder.


WARNING: This is a destructive clearing of all Application rules on the decoder. You will only want to do this if you are experiencing this issue or something similar. Make sure you have a back up copy of your current rule set.



Right click on application and click on Properties.



Select clear from the dropdown and then press send in the right hand corner of the Properties screen. You will see a success message in the information box. 

Filter Blog

By date: By tag: