Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Physical Host 10.6.6.x to 11.3 Upgrade: Introduction

Document created by RSA Information Design and Development Employee on Apr 10, 2019Last modified by RSA Information Design and Development Employee on Mar 17, 2020
Version 8Show Document
  • View in full screen mode

The instructions in this guide apply to the upgrade of physical hosts to RSA NetWitness Platform exclusively. See the Virtual Host Upgrade Guide for NetWitness Platform 10.6.6.x to for instructions on how to upgrade your virtual hosts to

NetWitness Platform is a major release that affects all products in the NetWitness Platform. The components of the platform are the NetWitness Server (Admin server, Config server, Integration server, Investigate server, Orchestration server, Respond server, Security sever, and Source server), Archiver, Broker, Concentrator, Context Hub, Decoder, Endpoint Log Hybrid, ESA Primary, ESA Secondary, Log Collector, Log Decoder, Malware Analysis, Reporting Engine, UEBA, Warehouse Connector, and Workbench.

Note: NetWitness Platform version, replaces the NetWitness Platform release. This release contains all the features with significant improvements for Event Stream Analysis (ESA).For information about ESA, see Event Stream Analysis in the Releases Notes for RSA NetWitness Platform 11.3.

Refer to the Getting Started Guide for NetWitness Platform to become familiar with the major changes to the 11.x User interface. Refer to the Deployment Guide to become familiar with the major platform changes in 11.x.

Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.

Note: The Reporting Engine is installed on the NW Server host, Workbench is installed on the Archiver host, and Warehouse Connector can be installed on the Decoder host or Log Decoder host.

CentOS6 to CentOS7 Upgrade

NetWitness Platform is a major release that involves upgrading to a newer version of the operating system (CentOS6 to CentOS7). In addition, the platform environment has been improved greatly to accommodate current and future physical and virtual deployment types. These changes require an upgrade to the new environment and an upgrade of the functionality.

RSA NetWitness Platform Upgrade Path

The earliest supported upgrade path for RSA NetWitness Platform is Security Analytics 10.6.6.x. is not intended for customers who have already upgraded to the or later release.

  • If you are running a version of NetWitness Platform that is prior to 10.6.6.x, you must update to 10.6.6.x before you can upgrade to See the RSA Security Analytics 10.6.6 Update Guide ( on RSA Link.
  • If you are already running 11.3.x.x, upgrade to to ensure that you are running the latest version of the 11.3.x.x platform.

Supported Host Upgrade Path

You must upgrade a host to the same host type:

  • Same Series RSA Physical Appliance to Same Series RSA Physical Appliance (that is, Series 4 to Series 4, Series 5 to Series 5).
    RSA does not support third-party physical hosts in
  • On-Prem Virtual to On-Prem Virtual

Caution: The upgrade does not support mixed-platform upgrades (for example, it does not support physical to virtual).

Hardware, Deployments, Services, and Features Not Supported in

RSA does not support upgrade of the following hardware, deployments, services, and features to

  • RSA All-in-One (AIO) Appliance
  • Multiple NetWitness Server Deployment
  • IPDB service
  • Malware Analysis service co-located on the SA Server (upgrade of Malware Analysis Enterprise is supported in
  • Standalone Warehouse Connector service (Upgrade of a co-located Warehouse Connector is supported in

  • Custom Health & Wellness policy in 10.6.x for the Context Hub Service
    After you upgrade to NetWitness, your custom policy is not present. In its place, there is the out-of-the-box Context Hub Server Monitoring Policy in the user interface, which is specific for version

  • Defense Information Strategic Agency-Security Technical Information Guide (DISA-STIG) hardened deployments.
  • Warehouse Analytics (Data Science)

Event Stream Analysis (ESA) Upgrade Considerations

In RSA NetWitness Platform, RSA changed how ESA Correlation Rules store and transmit the alerts the system generates. In, ESA sends all alerts to a central Alert system. The local MongoDB storage in ESA 10.6.6.x has been removed.

Note: If you did not use Incident Management in 10.6.6.x, you cannot view the 10.6.6.x ESA alerts in the Respond component without running a migration script. Use the ESA Alert Migration script to migrate these alerts to the location in that will allow Respond to view them. See the ESA Alert Migration Instructions knowledge base article ( in RSA Link for instructions on how to run this script.

Upgrade Considerations for ESA Rule Deployments

Caution: In NetWitness Platform, the ESA Correlation service contains data source changes that require changes to migrated ESA rule deployments. The ESA Correlation service replaces the Event Stream Analysis service in earlier versions.

After you upgrade to, migrated ESA rule deployments have the following changes.

  1. If an ESA rule deployment contains two services before you upgrade to, the deployment splits into two deployments. You can only have one ESA Correlation service in an ESA rule deployment in version
  2. If an ESA service has multiple ESA rule deployments before you upgrade to, they are combined into one deployment in version

You can still access your old deployments. For a detailed example, see the ESA Configuration Guide for RSA NetWitness Platform 11.3.

Upgrade Phases

RSA recommends that you stagger host upgrades as described in this section. The update to CentOS7 and the need of a physical or iDRAC access cause the upgrade to take more time than most upgrades.

Caution: If you stagger the upgrade, you:
• Must upgrade the hosts in Phase 1 first, in the order shown.
• May not have all the features operational until you update your entire deployment.
• Will not have service administrative features available until you upgrade all the hosts in your deployment.

Phase 1

You perform Phase 1 first. You must upgrade the hosts in the following order:

  1. Security Analytics Server host
  2. Event Stream Analysis hosts
  3. Malware Analysis hosts
  4. Broker hosts (if you do not have a Broker, upgrade your Concentrator hosts)
    The NetWitness Server (NW Server) cannot communicate with 10.6.6.x core services for the new Investigate functionality. This is why you must upgrade the Broker or Concentrator hosts in Phase 1.

Phase 2

Upgrade the rest of your hosts.

RSA recommends that you follow the order in Phase 2 to reduce:

  • Functionality loss during investigation.
  • Downtime that results in the loss of network and log capture.

Note: Other than Log Collection hosts with downstream event destinations, there is no technical reason to upgrade your hosts in the order shown in Phase 2.

This is the Phase 2 host upgrade order recommended by RSA.

  1. Decoder hosts
  2. Concentrator hosts
  3. Archiver hosts
  4. Log Collection hosts - Log Collectors on Log Decoder hosts (LDs), Virtual Log Collectors (VLCs) and Legacy Windows Collectors (LWCs)
    Before you upgrade a log collection host, you must prepare it for the upgrade. Part of this preparation ensures that no event data remains in the queues. This requires you to keep the downstream destinations of event data (Log Collectors, Virtual Log Collectors and Log Decoders) up and functioning properly.

    If you have event data destinations downstream from the Log Decoder, you must prepare and upgrade Log Collectors in the following order.

    1. LDs (one LD at a time)

    2. VLCs and LWCs

    If you do not have event data destinations downstream from the Log Decoder, you can prepare and upgrade multiple LDs, VLCs, and LWCs together.

  5. All other hosts

See "Running in Mixed Mode" under "The Basics" in the RSA NetWitness Platform Hosts and Services Getting Started Guide for:

  • Functionality gaps encountered while running in this mode.
  • Examples of staggered upgrades.

Phase 3 (Optional)

After you have upgraded all hosts in your deployment to, you can install a Warm Standby NW Server. Refer to "Warm Standby NW Server Host" under "Deployment Option Setup Procedures" in the Deployment Guide for NetWitness Platform for 11.3 for instructions on how to set up a Warm Standby NW Server.

Investigate in Mixed Mode

Mixed mode occurs when the NW Server host and Broker hosts are on the latest version (for example, and the other core services such as Concentrators and Decoders are on any older version (for example, 10.6.6.x or 11.1.x.x-11.2.x.x). You must follow the host upgrade sequence as shown in Upgrade Phases to ensure complete Investigate functionality.

The Investigate server is installed when you upgrade the SA Server, but Broker hosts need to be upgraded to to access the Event Analysis view. If the Broker is not upgraded, analysts see a warning icon next to the Broker, and no data aggregated to that Broker can be displayed.

Mixed mode (that is, some services are upgraded to and some are still at 10.6.6.x) also affects the functionality of Role-Based Access Control (RBAC). In mixed mode, when an analyst conducts an investigation, RBAC is not applied uniformly to viewing and downloads. After you upgrade all services to, when an analyst conducts an investigation, Role-Based Access Control of downloads works consistently to limit access to restricted data.

In mixed mode, if the sdk.packets setting has not been disabled on the 10.6.6.x services, analysts with SDK meta and roles permissions in place to restrict viewing and reconstructing an event's content can download the packet capture (PCAP) file of an event that has content restrictions. Other types of downloads appear to be successful, then generate errors due to insufficient permissions, and the data is still protected.

During a phased update, you can disable the sdk.packets setting on 10.6.6.x services to prevent analysts from downloading any PCAPs or logs. After you update all services to and re-enable sdk.packets, RBAC works consistently across all services.

The following table identifies what users with the analysts role can see and download when the NW Server is at version, and the Broker is connected to Concentrators and Decoders at version 10.6.6.x.

Analysts Can
Restricted Content
Analysts Can
Restricted Content
Analysts Can
Download with Errors
Events View RBAC permitted itemsPCAPFile archive (cannot unzip it)
Event Reconstruction ViewRBAC permitted itemsPCAPFile archive (cannot unzip it)
Event Analysis ViewRBAC permitted itemsPCAPPayload (any option: all payloads, request only, response only)


Upgrade Workflow

The following diagram illustrates the RSA NetWitness Platform upgrade workflow.

Contact Customer Support

Refer to the Contact RSA Customer Support page ( in RSA Link for instructions on how to get help on RSA NetWitness Platform

You are here
Table of Contents > 1. Introduction