Install Only One Instance of the NetWitness UEBA Server
RSA supports only one instance of the NetWitness UEBA server. If you have added more than one NetWitness UEBA server, follow these steps to remove the extra NetWitness UEBA server.
-
From the Admin server (node 0), run the following commands to query the list of installed NetWitness UEBA services:
# orchestration-cli-client --list-services|grep presidio-airflow
... Service: ID=7e682892-b913-4dee-ac84-ca2438e522bf, NAME=presidio-airflow, HOST=xxx.xxx.xxx.xxx:null, TLS=true
... Service: ID=3ba35fbe-7220-4e26-a2ad-9e14ab5e9e15, NAME=presidio-airflow, HOST=xxx.xxx.xxx.xxx:null, TLS=true -
From the list of services, determine which instance of the presidio-airflow service should be removed (by looking at the host addresses).
-
Run the following command to remove the extra service from Orchestration (use the matching service ID from the list of services):
# orchestration-cli-client --remove-service --id <ID-for-presidio-airflow-form-previous-output>
-
Run the following command to update node 0 to restore NGINX:
# orchestration-cli-client --update-admin-node
- Log in to NetWitness Platform, go to ADMIN > Hosts, and remove the extra NetWitness UEBA host.
Contact Customer Support
Refer to the Contact RSA Customer Support page (https://community.rsa.com/docs/DOC-1294) in RSA Link for instructions on how to get help on RSA NetWitness Platform.