UEBA Install: Troubleshooting

Document created by RSA Information Design and Development on Apr 11, 2019Last modified by RSA Information Design and Development on Apr 11, 2019
Version 3Show Document
  • View in full screen mode
  

Install Only One Instance of the NetWitness UEBA Server

RSA supports only one instance of the NetWitness UEBA server. If you have added more than one NetWitness UEBA server, follow these steps to remove the extra NetWitness UEBA server.

  1. From the Admin server (node 0), run the following commands to query the list of installed NetWitness UEBA services:

    # orchestration-cli-client --list-services|grep presidio-airflow
    ... Service: ID=7e682892-b913-4dee-ac84-ca2438e522bf, NAME=presidio-airflow, HOST=xxx.xxx.xxx.xxx:null, TLS=true
    ... Service: ID=3ba35fbe-7220-4e26-a2ad-9e14ab5e9e15, NAME=presidio-airflow, HOST=xxx.xxx.xxx.xxx:null, TLS=true

  2. From the list of services, determine which instance of the presidio-airflow service should be removed (by looking at the host addresses).

  3. Run the following command to remove the extra service from Orchestration (use the matching service ID from the list of services):

    # orchestration-cli-client --remove-service --id <ID-for-presidio-airflow-form-previous-output>

  4. Run the following command to update node 0 to restore NGINX:

    # orchestration-cli-client --update-admin-node

  5. Log in to NetWitness Platform, go to ADMIN > Hosts, and remove the extra NetWitness UEBA host.

Contact Customer Support

Refer to the Contact RSA Customer Support page (https://community.rsa.com/docs/DOC-1294) in RSA Link for instructions on how to get help on RSA NetWitness Platform.

You are here
Table of Contents > Troubleshooting

Attachments

    Outcomes