Update 11.3.1: Instructions

Document created by RSA Information Design and Development on Jul 9, 2019Last modified by RSA Information Design and Development on Jul 16, 2019
Version 2Show Document
  • View in full screen mode
 

Pre-Update Tasks

Task 1. Stop Data Capture and Aggregation

You must stop data capture and aggregation for the following services:

  • Decoder
  • Log Decoder
  • Broker
  • Concentrator
  • Archiver

Stop Network Capture

These steps are for Decoders.

  1. Log in to NetWitness Platform and go to ADMIN > Services.
    The Services view is displayed.
  2. Select each Decoder service.

  3. Under (actions), select View > System.
  4. In the toolbar, click .

Stop Log Capture

These steps are for Log Decoders.

  1. Log in to NetWitness Platform and go to ADMIN > Services.
    The Services view is displayed.
  2. Select each Log Decoder service.
  3. Under (actions), select View > System.
  4. In the toolbar, click .

Stop Aggregation

These steps are for Brokers, Concentrators, and Archivers.

  1. Log in to NetWitness Platform and go to ADMIN > Services.
  1. Select the Broker, Concentrator, or Archiver service.
  2. Under (actions), select View > Config.
  3. The General tab is displayed.
  4. Under Aggregated Services click .

Task 2. (Conditional) Back Up Customized Respond Service Normalization Scripts

Respond service normalization scripts are stored in the /var/lib/netwitness/respond-server/scripts directory. Back them up before you update to 11.3.1.0 so you can restore your customizations in 11.3.1.0 as described in the Respond Post Update Tasks.

  1. Go to the /var/lib/netwitness/respond-server/scripts directory.
  2. Back up the following files:
    data_privacy_map.js
    normalize_alerts.js
    normalize_core_alerts.js
    normalize_ecat_alerts.js
    normalize_ma_alerts.js
    normalize_ueba_alerts.js (11.3 only)
    normalize_wtd_alerts.js
    utils.js
  3. If you customized any of the above scripts, copy the customizations so that you can restore them in 11.3.1.0.

Task 3. Record Any String Array Type Meta Keys on the Event Stream Analysis Service

Note: If you are updating directly from 11.2.x.x or earlier, you must perform this task.

If you added any string array type meta keys to the Event Stream Analysis service for your ESA correlation rules, record these meta keys so you can verify that they exist after updating to 11.3.1.0.

To record your 11.2.x.x or earlier string array type meta keys before the 11.3.1.0 update:

  1. Log into NetWitness Platform and go to ADMIN > Services.
  2. Select the Event Stream Analysis service and click (actions) > View > Explore.
  3. In the Explore view node list, select Workflow > Source > netgenAggregationSource.
  4. In the ArrayFieldNames list, make a note of any string array type meta keys added to the Event Stream Analysis service so you can verify that they are on the ESA Correlation service after the upgrade.

These are the default string array types from versions 10.6.6.x to 11.2.x.x:

  • action
  • alias_host
  • alias_ip
  • alias_ipv6
  • analysis_file
  • analysis_service
  • analysis_session
  • boc,email
  • eoc
  • inv_category
  • inv_context
  • ioc
  • netname
  • username

Update Tasks

Task 1. Download the 11.3.1.0 Patch

 

Download the file below, which contains all the NetWitness Platform 11.3.1.0 update files, from RSA Link (https://community.rsa.com/) >NetWitness Platform > RSA NetWitness Logs and Network Downloads to a local directory:
netwitness-11.3.1.0.zip

 

Task 2. Update External Repository

Note: Perform this step only if you are using an external repository for 11.3.1.0.

Update the external repository with the latest update content for NetWitness Platform 11.3.1.0 by downloading the following file:
netwitness-11.3.1.0.zip.

For more information, see External Repo Instructions for CLI Update.

Task 3. Update the Service Pack

You can choose one of the following update methods based on your internet connectivity.

Online Method (Connectivity to Live Services). Update Using the NetWitness Platform User Interface

You can use this method if the NW Server host is connected to Live Services and if you are able to obtain the package.

Note: If the NW Server host does not have access to Live Services, use Offline Method (No connectivity to Live Services). Update Using the Command Line Interface .

Prerequisites

Make sure that:

  1. The Automatically download information about new updates every day option is checked and is applied in ADMIN > System > Updates .
  2. Go to ADMIN > Hosts > Update > Check for Updates to check for updates. The Host view displays the Update Available status.
  3. 11.3.1.0 is available in the Update Version column.

Note: If you have custom certs, move any custom certs from /etc/pki/nw/trust/import/ directory to /root/cert. Follow these steps to move the certs:
1. mkdir /root/cert
2. mv /etc/pki/nw/trust/import/* /root/cert

Procedure

  1. Go to ADMIN > Hosts.
  2. Select the NW Server (nw-server) host.
  3. Check for the latest updates.

  4. Update Available is displayed in the Status column if you have a version update in your Local Update Repository for the selected host.
  5.  Select 11.3.1.0 from the Update Version column. If you:
    • Want to view a dialog with the major features in the update and information on the updates, click the information icon () to the right of the update version number.
    • Cannot find the version you want, select Update > Check for Updates to check the repository for any available updates. If an update is available, the message "New updates are available" is displayed and the Status column updates automatically to show Update Available. By default, only supported updates for the selected host are displayed.
  6. Click Update > Update Host from the toolbar.
  7. Click Begin Update.
  8. Click Reboot Host.
  9. Repeat steps 6 to 8 for other hosts.

Note: You can select multiple hosts to update at the same time only after updating and rebooting the NW Server host. All ESA, Endpoint, and Malware Analysis hosts should be updated to the same version as that of the NW Server host.

Offline Method (No connectivity to Live Services). Update Using the Command Line Interface

You can use this method if the NW Server host is not connected to Live Services.

Prerequisites

Make sure that you have downloaded the following files from RSA Link (https://community.rsa.com/) > NetWitness Platform > RSA NetWitness Logs and Network > Downloads > RSA Downloads to a local directory:

  • If you are updating from an 11.1.x.x or an 11.2.x.x release, download netwitness-11.3.0.0.zip and netwitness-11.3.1.0.zip.
  • If you are updating from 11.3.0.0, download netwitness-11.3.1.0.zip.
  • If you are using external repository, you can update the external repository with the latest update content. For more information see, Task 2. Update External Repository .

Procedure

You need to perform the update steps for NW Server hosts and for component servers.

Note: If you are updating from 11.1.x.x or 11.2.x x to 11.3.1.0, you must download the NetWitness Platform 11.3.0.0 files (netwitness-11.3.0.0.zip) and set them up in the staging folder along with the 11.3.1.0 files.

Note: If you copy and paste the commands from PDF to Linux SSH terminal, the characters do not work. It is recommended to type the commands.

  1. If you are updating from 11.1.x.x or 11.2.x.x, you must stage 11.3.0.0 and 11.3.1.0. Log into the /root directory of the NW Server and create the following directories:
    /tmp/upgrade/11.3.0.0
    /tmp/upgrade/11.3.1.0
    and then copy the package zip files to the /root directory of the NW Server and extract the package files from /root to the appropriate directories using the following commands:
    unzip netwitness-11.3.0.0.zip -d /tmp/upgrade/11.3.0.0
    unzip netwitness-11.3.1.0.zip -d /tmp/upgrade/11.3.1.0
  2. If you are updating from 11.3.0.0 to 11.3.1.0, you only need to stage 11.3.1.0. Log into the /root directory of the NW Server and create the following directory:
    /tmp/upgrade/11.3.1.0
    and then copy the package zip files to the /root directory of the NW Server and extract the package files from /root to the /tmp/upgrade/11.3.1.0 directory using the following command:
    unzip netwitness-11.3.1.0.zip -d /tmp/upgrade/11.3.1.0
  3. Note: If you copied the .zip file to the created staging directory to unzip, make sure that you delete the initial .zip file that you copied to the staging location after you extract it.

  1. Initialize the update, using the following command:
    upgrade-cli-client –-init --version 11.3.1.0 --stage-dir /tmp/upgrade

  2. Update the NW Server host, using the following command:
    upgrade-cli-client –-upgrade --host-addr <IP of Netwitness Server> --version 11.3.1.0
  3. When the component host update is successful, reboot the host from NetWitness Platform user interface in the Hosts view.
  4. Repeat steps 3 through 5 for each component host, changing the IP address to the component host which is being updated.

Note: You can check versions of all the hosts, using the command upgrade-cli-client --list on the NW Server host. If you want to view the help content of upgrade-cli-client, use the command upgrade-cli-client --help.

Note: If the following error is displayed during the update process:
2017-11-02 20:13:26.580 ERROR 7994 — [ 127.0.0.1:5671] o.s.a.r.c.CachingConnectionFactory : Channel shutdown: connection error; protocol method: #method<connection.close>(reply-code=320, reply-text=CONNECTION_FORCED - broker forced connection closure with reason 'shutdown', class-id=0, method-id=0)
the service pack will install correctly. No action is required. If you encounter additional errors when updating a host to a new version, contact Customer Support (Contacting Customer Care).

External Repo Instructions for CLI Update

Note: The external repo should have separate directories for 11.3.0.0 and 11.3.1.0, as described in Offline Method (No connectivity to Live Services). Update Using the Command Line Interface .

  1. Stage 11.3.1.0 by creating a directory on the NW Server host at /tmp/upgrade/11.3.1.0 and extract the zip package.
    unzip netwitness-11.3.1.0.zip -d /tmp/upgrade/11.3.1.0

    Note: If you copied the .zip file to the created staging directory to unzip, make sure that you delete the initial .zip file that you copied to the staging location after you extract it.

  1. Initialize the update, using the following command:
    upgrade-cli-client –-init --version 11.3.1.0 --stage-dir /tmp/upgrade
  2. Update the NW Server host using the following command:
    upgrade-cli-client –-upgrade --host-addr <IP of Netwitness Server> --version 11.3.1.0
  3. When the NW Server host update is successful, reboot the host from NetWitness UI.
  4. Repeat steps 3 and 4 for each component host, changing the IP address to the component host which is being updated.

Note: You can check versions of all the hosts, using the command upgrade-cli-client --list on the NW Server host. If you want to view the help content of upgrade-cli-client, use the command upgrade-cli-client --help.

Note: If the following error displays during the update process:
2017-11-02 20:13:26.580 ERROR 7994 — [ 127.0.0.1:5671] o.s.a.r.c.CachingConnectionFactory : Channel shutdown: connection error; protocol method: #method<connection.close>(reply-code=320, reply-text=CONNECTION_FORCED - broker forced connection closure with reason 'shutdown', class-id=0, method-id=0)
the service pack will install correctly. No action is required. If you encounter additional errors when updating a host to a new version, contact Customer Support (Contacting Customer Care).

You are here
Table of Contents > Update 11.3.1: Instructions

Attachments

    Outcomes