000026782 - How to change the IP address of an RSA Security Analytics appliance

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026782
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Decoder, Log Decoder, Concentrator, Hybrid, Broker, Security Analytics Server
IssueHow to change the IP address of an RSA Security Analytics appliance.
How do I change the IP address on my Security Analytics device?
How can I change the IP address on a NetWitness appliance?

To change the IP address of an RSA Security Analytics appliance, follow the steps below.

1. Typically there are multiple interfaces on each SA host. IStart by identifying what ip addresses are configured by typing the ifconfig -a command, which will  list all of the interfaces that are configured.  Below is a sample, noting the device name itself may differ:

[root@rsadecoder--0 ~]# ifconfig -a

 eth0 Link encap:Ethernet HWaddr 00:50:56:01:09:2D
 inet addr: Bcast: Mask:
 inet6 addr: fe80::250:56ff:fe01:92d/64 Scope:Link
 RX packets:24623163 errors:0 dropped:0 overruns:0 frame:0
 TX packets:10921204 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000
 RX bytes:2721898524 (2.5 GiB) TX bytes:1971939616 (1.8 GiB)

 eth1 Link encap:Ethernet HWaddr 00:50:56:01:09:2C
  inet addr: Bcast: Mask:
 inet6 addr: fe80::250:56ff:fe01:92c/64 Scope:Link
 RX packets:1572456 errors:0 dropped:0 overruns:0 frame:0
 TX packets:21 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000
 RX bytes:297427623 (283.6 MiB) TX bytes:1382 (1.3 KiB)

 lo Link encap:Local Loopback
 inet addr: Mask:
 inet6 addr: ::1/128 Scope:Host
 RX packets:15480 errors:0 dropped:0 overruns:0 frame:0
 TX packets:15480 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:0
 RX bytes:1474624 (1.4 MiB) TX bytes:1474624 (1.4 MiB)

2. In the above listing, I have 2 interfaces (eth0 and eth1) and a loopback configured (loopback is always configured and is a logical vs  physical reserved interface).   This example demonstrates changing the ip address for eth0.

3. Edit the ethernet configuration script for eth0 (ifcfg-eth0) using the VI editor.

a.  Issue the following command:  cd /etc/sysconfig/network-scripts
b.  By executing the "ls" command, observe that the 2 interfaces (eth0 and eth1) have an associated configuration script in the name format of ifcfg-<interface_name_and_number>.  This example will demonstrate how to change the eth0's ip address.
c.  Note that system administration best practices dictate to make a backup of any file you edit it, so make a copy first with the following command:  cp ifcfg-eth0 ifcfg-eth0.backup<today's_date>
d.  Issue the command vi ifcfg-eth0 and observe the following:

 e.  Change the IP address (and the netmask if that is also changing) to match the new IP address (and netmask), and save the file.
                     Note: In a default configuration, there is no GATEWAY entry in the ethernet device configuration script. This is however a default, not a hardfast rule. If you have a GATEWAY=<gateway IP address>, and the gateway that devices' network is changing, change the gateway entry in the configuration script.

4. The configuration file network, located in /etc/sysconfig, typically contains the default gateway for the host. If your default gateway is also changing, change the gateway entry in the network file. (backup network before editing by issueing the following command:  cp network network.<today's_date>)


5. The /etc/hosts file can contain the devices' IP address, for example:

 Created by NetWitness Installer on Tue Nov 5 21:39:02 UTC 2013 localhost.localdom localhost
 ::1 localhost.localdom localhost ip6-localhost ip6-loopback rsadecoder-0 # NIC <eth0> rsadecoder-0 # NIC <eth1> rsareNsa-00-1 rsareNsa-00-l

6. When ready, reboot the host by issuing the following command:  shutdown -r now

NotesIP address changes are performed from the command line by the root account.  Basic Linux system administration skills are needed, and system administration best practices should always be used. When changing the IP addresses, it is extremely advisable to be on the system console.
The RSA Security Analytics software and product licenses are not tied to a specific IP address. Furthermore, the IP address of a specific device is not embedded in any Security Analytics software configuration files that would prevent the product processes from starting or otherwise not be operational.  An IP address change is only configured at the OS level. However, if a specific device was added using its IP address vs its FQDN, the device's IP address will need to be modified in the Security Analytics UI before it will become operational again. 
This document does not provide the procedure for that change.  Other considerations include IP address changes should only be done during scheduled maintenence windows.  DNS PTR record changes should me made as close to the time of the systems physical IP address change as possible.
Legacy Article IDa65556