Virtual Host Upgrade: Introduction

Document created by RSA Information Design and Development on Apr 11, 2019Last modified by RSA Information Design and Development on Jun 12, 2019
Version 4Show Document
  • View in full screen mode

The instructions in this guide apply to the upgrade of virtual hosts to RSA NetWitness Platform11.3 exclusively. See thePhysical Host Upgrade Guide for RSA NetWitness Platform 11.3 for instructions on how to upgrade your 10.6.6.x physical hosts to 11.3.

NetWitness Platform 11.3 is a major release that affects all products in the NetWitness Platform. The components of the platform are the NetWitness Server (Admin server, Config server, Integration server, Investigate server, Orchestration server, Respond server, Security sever, and Source server), Archiver, Broker, Concentrator, Context Hub, Decoder, Endpoint Log Hybrid, ESA Primary, ESA Secondary, Log Collector, Log Decoder, Malware Analysis, Reporting Engine, UEBA, Warehouse Connector, and Workbench.

Refer to the Getting Started Guide for NetWitness Platform to become familiar with the major changes to the 11.x User interface. Refer to the Deployment Guide to become familiar with the major platform changes in 11.x.

Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.

Note: The Reporting Engine is installed on the NW Server host, Workbench is installed on the Archiver host, and Warehouse Connector can be installed on the Decoder host or Log Decoder host.

CentOS6 to CentOS7 Upgrade

NetWitness Platform 11.3 is a major release that involves upgrading to a newer version of the operating system (CentOS6 to CentOS7). In addition, the 11.3 platform environment has been improved greatly to accommodate current and future physical and virtual deployment types. These changes require an upgrade to the new environment and an upgrade of the functionality.

RSA NetWitness® Platform 11.3 Upgrade Path

The earliest supported upgrade path for RSA NetWitness® Platform 11.3 is Security Analytics 10.6.6.x. If you are running a version of NetWitness Platform that is prior to 10.6.6.x, you must update to 10.6.6.x before you can upgrade to 11.3. See the RSA Security Analytics 10.6.6 Update Guide ( on RSA Link.

Supported Host Upgrade Path

You must upgrade a host to the same host type:

  • Same Series RSA Physical Appliance to Same Series RSA Physical Appliance (that is, Series 4 to Series 4, Series 5 to Series 5).
    RSA does not support third-party physical hosts in 11.3.
  • On-Prem Virtual to On-Prem Virtual

Caution: The 11.3 upgrade does not support mixed-platform upgrades (for example, it does not support physical to virtual).

Hardware, Deployments, Services, and Features Not Supported in 11.3

RSA does not support upgrade of the following hardware, deployments, services, and features to 11.3.

  • RSA All-in-One (AIO) Appliance
  • Multiple NetWitness Server Deployment
  • IPDB service
  • Malware Analysis service co-located on the SA Server (upgrade of Malware Analysis Enterprise is supported in 11.3.)
  • Standalone Warehouse Connector service (Upgrade of a co-located Warehouse Connector is supported in 11.3.)

  • Custom Health & Wellness policy in 10.6.x for the Context Hub Service
    After you upgrade to NetWitness 11.3, your custom policy is not present. In its place, there is the out-of-the-box Context Hub Server Monitoring Policy in the user interface, which is specific for version 11.3.

  • Defense Information Strategic Agency-Security Technical Information Guide (DISA-STIG) hardened deployments.
  • Warehouse Analytics (Data Science)

Event Stream Analysis (ESA) Upgrade Considerations

In RSA NetWitness® Platform 11.3, RSA changed how ESA Correlation Rules store and transmit the alerts the system generates. In 11.3, ESA sends all alerts to a central Alert system. The local MongoDB storage in ESA 10.6.6.x has been removed.

Note: If you did not use Incident Management in 10.6.6.x, you cannot view the 10.6.6.x ESA alerts in the 11.3 Respond component without running a migration script. Use the ESA Alert Migration script to migrate these alerts to the location in 11.3 that will allow Respond to view them. See the ESA Alert Migration Instructions knowledge base article ( in RSA Link for instructions on how to run this script.

Upgrade Considerations for ESA Rule Deployments

Caution: In NetWitness Platform 11.3, the ESA Correlation service contains data source changes that require changes to migrated ESA rule deployments. The 11.3 ESA Correlation service replaces the Event Stream Analysis service in earlier versions.

After you upgrade to 11.3, migrated ESA rule deployments have the following changes.

  1. If an ESA rule deployment contains two services before you upgrade to 11.3, the deployment splits into two deployments. You can only have one ESA Correlation service in an ESA rule deployment in version 11.3.
  2. If an ESA service has multiple ESA rule deployments before you upgrade to 11.3, they are combined into one deployment in version 11.3.

You can still access your old deployments. For a detailed example, see the ESA Configuration Guide for RSA NetWitness Platform 11.3.

Upgrade Phases

RSA recommends that you stagger host upgrades as described in this section. The update to CentOS7 and the need of a physical or iDRAC access cause the 11.3 upgrade to take more time than most upgrades.

Caution: If you stagger the upgrade, you:
• Must upgrade the hosts in Phase 1 first, in the order shown.
• May not have all the features operational until you update your entire deployment.
• Will not have service administrative features available until you upgrade all the hosts in your deployment.

Phase 1

You perform Phase 1 first. You must upgrade the hosts in the following order:

  1. Security Analytics Server host
  2. Event Stream Analysis hosts
  3. Malware Analysis hosts
  4. Broker hosts (if you do not have a Broker, upgrade your Concentrator hosts)
    The 11.3 NetWitness Server (NW Server) cannot communicate with 10.6.6.x core services for the new Investigate functionality. This is why you must upgrade the Broker or Concentrator hosts in Phase 1.

Phase 2

Upgrade the rest of your hosts.

RSA recommends that you follow the order in Phase 2 to reduce:

  • Functionality loss during investigation.
  • Downtime that results in the loss of network and log capture.

Note: Other than Log Collection hosts with downstream event destinations, there is no technical reason to upgrade your hosts in the order shown in Phase 2.

This is the Phase 2 host upgrade order recommended by RSA.

  1. Decoder hosts
  2. Concentrator hosts
  3. Archiver hosts
  4. Log Collection hosts - Log Collectors on Log Decoder hosts (LDs), Virtual Log Collectors (VLCs) and Legacy Windows Collectors (LWCs)
    Before you upgrade a log collection host, you must prepare it for the upgrade. Part of this preparation ensures that no event data remains in the queues. This requires you to keep the downstream destinations of event data (Log Collectors, Virtual Log Collectors and Log Decoders) up and functioning properly.

    If you have event data destinations downstream from the Log Decoder, you must prepare and upgrade Log Collectors in the following order.

    1. LDs (one LD at a time)

    2. VLCs and LWCs

    If you do not have event data destinations downstream from the Log Decoder, you can prepare and upgrade multiple LDs, VLCs, and LWCs together.

  5. All other hosts

See "Running in Mixed Mode" under "The Basics" in the RSA NetWitness Platform Hosts and Services Getting Started Guide for:

  • Functionality gaps encountered while running in this mode.
  • Examples of staggered upgrades.

Phase 3 (Optional)

After you have upgraded all hosts in your deployment to 11.3, you can install a Warm Standby NW Server. Refer to "Warm Standby NW Server Host" under "Deployment Option Setup Procedures" in the Deployment Guide for NetWitness Platform for 11.3 for instructions on how to set up a Warm Standby NW Server.

Investigate in Mixed Mode

Mixed mode occurs when the NW Server host and Broker hosts are on the latest version (for example, 11.3) and the other core services such as Concentrators and Decoders are on any older version (for example, 10.6.6.x or 11.1.x.x-11.2.x.x). You must follow the host upgrade sequence as shown in Upgrade Phases to ensure complete Investigate functionality.

The 11.3 Investigate server is installed when you upgrade the SA Server, but Broker hosts need to be upgraded to 11.3 to access the Event Analysis view. If the Broker is not upgraded, analysts see a warning icon next to the Broker, and no data aggregated to that Broker can be displayed.

Mixed mode (that is, some services are upgraded to 11.3 and some are still at 10.6.6.x) also affects the functionality of Role-Based Access Control (RBAC). In mixed mode, when an analyst conducts an investigation, RBAC is not applied uniformly to viewing and downloads. After you upgrade all services to 11.3, when an analyst conducts an investigation, Role-Based Access Control of downloads works consistently to limit access to restricted data.

In mixed mode, if the sdk.packets setting has not been disabled on the 10.6.6.x services, analysts with SDK meta and roles permissions in place to restrict viewing and reconstructing an event's content can download the packet capture (PCAP) file of an event that has content restrictions. Other types of downloads appear to be successful, then generate errors due to insufficient permissions, and the data is still protected.

During a phased update, you can disable the sdk.packets setting on 10.6.6.x services to prevent analysts from downloading any PCAPs or logs. After you update all services to 11.3 and re-enable sdk.packets, RBAC works consistently across all services.

The following table identifies what users with the analysts role can see and download when the NW Server is at version 11.3, and the 11.3 Broker is connected to Concentrators and Decoders at version 10.6.6.x.

Analysts Can
Restricted Content
Analysts Can
Restricted Content
Analysts Can
Download with Errors
Events View RBAC permitted itemsPCAPFile archive (cannot unzip it)
Event Reconstruction ViewRBAC permitted itemsPCAPFile archive (cannot unzip it)
Event Analysis ViewRBAC permitted itemsPCAPPayload (any option: all payloads, request only, response only)


Virtual Host Upgrade Workflow

The following diagram illustrates the RSA NetWitness® Platform 11.3 Virtual Host upgrade workflow.

Contact Customer Support

Refer to the Contact RSA Customer Support page ( in RSA Link for instructions on how to get help on RSA NetWitness Platform 11.3.

You are here
Table of Contents > 1. Introduction