Virtual Host Upgrade: Troubleshooting

Document created by RSA Information Design and Development Employee on Apr 11, 2019Last modified by RSA Information Design and Development Employee on Jun 25, 2020
Version 6Show Document
  • View in full screen mode

This section describes solutions to problems that you may encounter during installations and upgrades. In most cases, NetWitness Platform creates log messages when it encounters these problems.

Note: If you cannot resolve an upgrade issue using the following troubleshooting solutions, contact Customer Support (

This section has troubleshooting documentation for the following services, features, and processes.

Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.

Command Line Interface (CLI)

Error Message

Command Line Interface (CLI) displays: "Orchestration failed."

Mixlib::ShellOut::ShellCommandFailed: Command execution failed. STDOUT/STDERR suppressed for sensitive resource in/var/log/netwitness/config-management/chef-solo.log

Cause Entered the wrong deploy_admin password in nwsetup-tui.

Retrieve your deploy_admin password.

  1. SSH to the NW Server host.
    security-cli-client --get-config-prop --prop-hierarchy --prop-name deployment.password
    SSH to the host that failed.
  2. Run the nwsetup-tui again using correct deploy_admin password.


Error Message ERROR
AlarmsController - Cannot connect to System Management Service
Cause NetWitness Platform sees the Service Management Service (SMS) as down after successful upgrade even though the service is running.
Solution Restart SMS service.
systemctl restart rsa-sms


Error Message

You receive a message in the User Interface to reboot the host after you update and reboot the host offline.

Cause You cannot use CLI to reboot the host. You must use the User Interface.

Reboot the host in the Host View in the User Interface.

Event Stream Analysis

  • For ESA Correlation troubleshooting information, see the Alerting with ESA Correlation Rules User Guide.
  • For ESA Analytics troubleshooting information, see the Automated Threat Detection Configuration Guide.

NetWitness UEBA


The User Interface is not accessible.

Cause You have more than one NetWitness UEBA service existing in your NetWitness deployment and you can only have NetWitness UEBA service in your deployment.

Complete the following steps to remove the extra NetWitness UEBA service.

  1. SSH to NW Server and run the following commands to query the list of installed NetWitness UEBA services.
    # orchestration-cli-client --list-services|grep presidio-airflow
    ... Service: ID=7e682892-b913-4dee-ac84-ca2438e522bf, NAME=presidio-airflow,, TLS=true
    ... Service: ID=3ba35fbe-7220-4e26-a2ad-9e14ab5e9e15, NAME=presidio-airflow,, TLS=true
  2. From the list of services, determine which instance of the presidio-airflow service should be removed (by looking at the host addresses).

  3. Run the following command to remove the extra service from Orchestration (use the matching service ID from the list of services):
    # orchestration-cli-client --remove-service --id <ID-for-presidio-airflow-form-previous-output>
  4. Run the following command to update NW Server to restore NGINX:
    # orchestration-cli-client --update-admin-node
  5. Log in to NetWitness Platform, go to ADMIN > Hosts, and remove the extra NetWitness UEBA host.

Previous Topic:7. Post Upgrade Tasks
You are here
Table of Contents > A. Troubleshooting