Update Instructions

Document created by RSA Information Design and Development Employee on Jul 9, 2019Last modified by RSA Information Design and Development Employee on Sep 30, 2019
Version 4Show Document
  • View in full screen mode

Task 1. Stop Data Capture and Aggregation

You must stop data capture and aggregation for the following services:

  • Decoder
  • Log Decoder
  • Broker
  • Concentrator
  • Archiver

Stop Network Capture

These steps are for Decoders.

  1. Log in to NetWitness Platform and go to ADMIN > Services.
    The Services view is displayed.
  2. Select each Decoder service.

  3. Under (actions), select View > System.
  4. In the toolbar, click .

Stop Log Capture

These steps are for Log Decoders.

  1. Log in to NetWitness Platform and go to ADMIN > Services.
    The Services view is displayed.
  2. Select each Log Decoder service.
  3. Under (actions), select View > System.
  4. In the toolbar, click .

Stop Aggregation

These steps are for Brokers, Concentrators, and Archivers.

  1. Log in to NetWitness Platform and go to ADMIN > Services.
  1. Select the Broker, Concentrator, or Archiver service.
  2. Under (actions), select View > Config.
  3. The General tab is displayed.
  4. Under Aggregated Services click .

Task 2. (Conditional) Back Up Customized Respond Service Normalization Scripts

Respond service normalization scripts are stored in the /var/lib/netwitness/respond-server/scripts directory. Back them up before you upgrade to so you can restore your customizations in as described in the Respond Post Upgrade Tasks.

  1. Go to the /var/lib/netwitness/respond-server/scripts directory.
  2. Back up the following files:
    normalize_ueba_alerts.js (11.3 only)
  3. If you customized any of the above scripts, copy the customizations so that you can restore them in

Task 3. Record Any String Array Type Meta Keys on the Event Stream Analysis Service

Note: If you are upgrading directly from 11.1.x.x or 11.2.x.x, you must perform this task.

To record any string array type meta keys in the ArrayFieldNames parameter on the Event Stream Analysis service:

  1. Log into NetWitness Platform and go to ADMIN > Services.
  2. Select the Event Stream Analysis service and click (actions) > View > Explore.
  3. In the Explore view node list, select Workflow > Source > netgenAggregationSource.
  4. In the ArrayFieldNames list, make a note of the string array type meta keys listed so you can verify that they are on the ESA Correlation service after the upgrade.

These are the default string array types from versions 11.1.x.x to 11.2.x.x:

  • action
  • alias_host
  • alias_ip
  • alias_ipv6
  • analysis_file
  • analysis_service
  • analysis_session
  • boc,email
  • eoc
  • inv_category
  • inv_context
  • ioc
  • netname
  • username

Upgrade Tasks

Perform the following tasks to upgrade to

There are two methods you can use to upgrade the service pack:

Task 1. (Conditional - Offline Methods Only) Download the Patch


Download the file below, which contains all the NetWitness Platform upgrade files, from RSA Link (https://community.rsa.com/) >NetWitness Platform > RSA NetWitness Logs and Network Downloads to a local directory: netwitness-

For more information, see Offline Methods (No Connectivity to Live Services).


Task 2. (Conditional - CLI Offline Method Only) Upgrade External Repository

Note: Perform this step only if you are using an external repository for

Upgrade the external repository with the latest upgrade content for NetWitness Platform by downloading the following file: netwitness-

For more information, see Appendix A. Offline Method (No Connectivity to Live Services) - Command Line Interface .

Task 3. Upgrade the Service Pack

You can choose one of the following upgrade methods based on your internet connectivity:

Online Method (Connectivity to Live Services)

You can use this method if the NW Server host is connected to Live Services and if you are able to obtain the package.

Note: If the NW Server host does not have access to Live Services, use Offline Method (No connectivity to Live Services).


Make sure that:

  1. The Automatically download information about new upgrades every day option is checked and is applied in ADMIN > System > Updates .
  2. Go to ADMIN > Hosts > Update > Check for Updates to check for upgrades. The Host view displays the Update Available status.
  3. is available in the Update Version column.

Note: If you have custom certs, move any custom certs from /etc/pki/nw/trust/import/ directory to /root/cert. Follow these steps to move the certs:
1. mkdir /root/cert
2. mv /etc/pki/nw/trust/import/* /root/cert


  1. Go to ADMIN > Hosts.
  2. Select the NW Server (nw-server) host.
  3. Check for the latest updates.

  4. Update Available is displayed in the Status column if you have a version update in your Local Update Repository for the selected host.
  5.  Select from the Update Version column. If you:
    • Want to view a dialog with the major features in the update and information on the updates, click the information icon () to the right of the update version number.
    • Cannot find the version you want, select Update > Check for Updates to check the repository for any available updates. If an update is available, the message "New updates are available" is displayed and the Status column updates automatically to show Update Available. By default, only supported updates for the selected host are displayed.
  6. Click Update > Update Host from the toolbar.
  7. Click Begin Update.
  8. Click Reboot Host.
  9. Repeat steps 6 to 8 for other hosts.

Note: You can select multiple hosts to update at the same time only after upgrading and rebooting the NW Server host. All ESA, Endpoint, and Malware Analysis hosts should be upgraded to the same version as that of the NW Server host.

Offline Method (No connectivity to Live Services)

If your version of NetWitness Platform has no connection to the Internet and you want to upgrade to

  • From the User Interface, follow these instructions.

Caution: The offline User Interface method is only available if you are upgrading a host from or later to If you are upgrading a host on an earlier version, you must use the Offline Command Line Interface method.

The following rules apply when you apply version updates:

  • You must update the NW Server host first.
  • You can only apply a version that is the compatible with the existing host version.

Note: Alternatively, you can upgrade using the Command Line Interface if you have no connectivity to Live Services. Refer to Appendix A. Offline Method (No connectivity to Live Services). Upgrade Using the Command Line Interface for instructions.

Task 1. Populate Staging Folder (/var/lib/netwitness/common/update-stage/) with Version Updates

  1. Download the netwitness- update package from RSA Link to a local directory.
  2. SSH to the NW Server host.
  1. Copy netwitness- from the local directory to the /var/lib/netwitness/common/update-stage/ staging folder. For example:
    sudo cp /tmp/netwitness- /var/lib/netwitness/common/update-stage/

    Note: NetWitness Platform unzips the file automatically.

Task 2. Apply Updates from the Staging Area to Each Host

Caution: You must update the NW Server host before updating any Non-NW Server host.

  1. Log in to NetWitness Platform.
  2. Go to ADMIN > HOSTS.
  3. Check for updates and wait for the update packages to be copied, validated, and ready to be initialized.

    "Ready to initialize packages" is displayed if:
    • NetWitness Platform can access the update package.
    • The package is complete and has no errors.

    Refer to Troubleshooting Version Installations and Updates for instructions on how to troubleshoot errors (for example, "Error deploying version <version-number>" and "Missing the following update package(s)," displayed in the Initiate Update Package for RSA NetWitness Platform dialog.

  4. Click Initialize Update.

    It takes some time to initialize the packages because the files are large and need to be unzipped.
    After the initialization is successful, the Status column displays Update Available and you complete the rest of the steps in this procedure to finish the update of the host.
  5. Click Update > Update Hosts from the toolbar.

  6. Click Begin Update from the Update Available dialog.
    After the host is updated, it prompts you to reboot the host.
  7. Click Reboot from the toolbar.

Previous Topic:Introduction
You are here
Table of Contents > Instructions