000030044 - How to Index Reset an RSA Security Analytics Appliance in Explore View

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000030044
Applies ToRSA Product Set: Security Analytics

RSA Product/Service Type: SA Core Appliance

RSA Version/Condition: 10.2 and above

Platform: CentOS

O/S Version: 6
IssueUse the following steps to perform an index reset on an RSA Security Analytics appliance. 
This process can take up to 30 hours or more on appliances with large indexes and multiple DACs attached.  The appliance will not be able to capture or aggregate data while the process is running.  Please plan any maintenance activity accordingly. 
TasksUse these steps to perform an index reset on an appliance.
These steps show how to reset the index on an RSA Security Analytics Concentrator but the steps are similar for all core appliances.
  1. Logon to the SA WebUI with administrator privilege.
  2. Navigate to the Services tab.
  3. Select the Concentrator service and enter the Explore view.
Selecting the Explore View for a Service

  1. In Explore view, select the Concentrator node on the left-hand frame and right-click and select "properties."
Explore View

  1. In the lower-right frame, choose "reset" from the pick-list.  
Reset Options

  1. Review the text in the "Message Help" window.  
Reset data, index, stats, configuration, or logs for this service.  Data automatically deletes index and stats.  Service is automatically restarted.
Example arguments:
data=1 config=1 log=1
This example will reset data, index, logs, and configuration
index=1
This example will reset the index only

  1. To verify the progress of the index reset, please open an ssh session to the appliance and run the following command on the appliance:
tail -f /var/log/messages

  1. Enter "index=1" into the parameters field and then click "Send".
Index Reset

  1. Note that the "Response Output" field will display the following message:
"The process is being restarted due to data reset"
This message indicates some portion of the "data" has been reset.  In this case, the data is the index data. 

  1. The /var/log/messages file will display messages like the following to indicate the progress on an index reset operation:
Apr 14 16:38:16 CSTConcentrator05 nw[2000]: [Engine] [audit] User admin (session 888, [::ffff:137.69.130.64]:34084) is performing a data reset: index=1
Apr 14 16:38:16 CSTConcentrator05 nw[2000]: [Engine] [info] Starting server shutdown
[snipped]
Apr 14 16:38:17 CSTConcentrator05 nw[2000]: [Index] [info] Index save completed
Apr 14 16:38:17 CSTConcentrator05 nw[2000]: [meta] [info] Database is closed with 3 file(s) containing 368,360,292 objects with ID range 1 to 368,360,292
Apr 14 16:38:17 CSTConcentrator05 nw[2000]: [session] [info] Database is closed with 3 file(s) containing 13,291,142 objects with ID range 1 to 13,291,142
Apr 14 16:38:17 CSTConcentrator05 nw[2000]: [Index] [info] Saving index, queries are queued during save operation
Apr 14 16:38:17 CSTConcentrator05 nw[2000]: [Index] [info] Index save completed
Apr 14 16:38:17 CSTConcentrator05 nw[2000]: [Engine] [info] Server 'CSTConcentrator05' has been shutdown
Apr 14 16:38:17 CSTConcentrator05 nw[2000]: [stats] [info] Database is closed with 9 file(s) containing 7,637,411 objects with ID range 3,634,373 to 11,271,783
Apr 14 16:38:17 CSTConcentrator05 nw[2000]: [ServiceConnectionNode::messageHandler] [failure] cstpdecoder05:50004: Operation canceled
Apr 14 16:38:18 CSTConcentrator05 init: nwconcentrator main process ended, respawning
Apr 14 16:38:19 CSTConcentrator05 nw[2044]: [Engine] [info] RSA Security Analytics Engine 10.3.2.2436 Copyright 2001-2013, RSA Security Inc.  All Rights Reserved.
Apr 14 16:38:19 CSTConcentrator05 nw[2044]: [Engine] [info] Running NetWitness concentrator in console
Apr 14 16:38:19 CSTConcentrator05 nw[2044]: [Engine] [info] RSA Security Analytics Engine 10.3.2.2436 (Jan 29 2014) 64 bit Starting
[snipped]
Apr 14 16:38:19 CSTConcentrator05 nw[2044]: [Engine] [info] Loading module 'concentrator'
Apr 14 16:38:19 CSTConcentrator05 nw[1711]: [Appliance] [info] concentrator started on port 50005
Apr 14 16:38:19 CSTConcentrator05 nw[2044]: [Engine] [info] Security Analytics Concentrator Server 'CSTConcentrator05' is running and listening on port 50005
[snipped]
Apr 14 16:38:19 CSTConcentrator05 nw[2044]: [Index] [info] Using language file found at /etc/netwitness/ng/index-concentrator.xml
Apr 14 16:38:19 CSTConcentrator05 nw[2044]: [Index] [info] No custom language file found at /etc/netwitness/ng/index-concentrator-custom.xml
Apr 14 16:38:19 CSTConcentrator05 nw[2044]: [Index] [info] Indexes are being initialized
Apr 14 16:38:19 CSTConcentrator05 nw[2044]: [Index] [warning] No valid checkpoints found, performing full reset
Apr 14 16:38:19 CSTConcentrator05 nw[2044]: [Index] [info] Indexes have finished initialization (Sessions 0-0)
Apr 14 16:38:19 CSTConcentrator05 nw[2044]: [Index] [info] Index being updated for session range 1 to 13291142
[snipped]
Apr 14 16:39:19 CSTConcentrator05 nw[2044]: [Index] [info] Checkpoint Statistics - Values Added: 13209  Pages Added: 17173
Apr 14 16:39:19 CSTConcentrator05 nw[2044]: [Index] [info] Indexing updating sessions 2056001 to 2057000 with ETF: 0 hours, 5 minutes (15%)
Apr 14 16:40:19 CSTConcentrator05 nw[2044]: [Index] [info] Checkpoint Statistics - Values Added: 30822  Pages Added: 40832
Apr 14 16:40:19 CSTConcentrator05 nw[2044]: [Index] [info] Indexing updating sessions 5540001 to 5541000 with ETF: 0 hours, 2 minutes (41%)
Apr 14 16:41:19 CSTConcentrator05 nw[2044]: [Index] [info] Checkpoint Statistics - Values Added: 55406  Pages Added: 74665
Apr 14 16:41:19 CSTConcentrator05 nw[2044]: [Index] [info] Indexing updating sessions 11126001 to 11127000 with ETF: 0 hours, 0 minutes (83%)
Apr 14 16:41:46 CSTConcentrator05 nw[2044]: [Index] [info] Index update completed in 00:03:27
Apr 14 16:41:46 CSTConcentrator05 nw[2044]: [Index] [info] Indexes saved for sessions 1-13291142 to slice 0
Apr 14 16:41:46 CSTConcentrator05 nw[2044]: [Recovery] [info] Loaded recovery file containing value 13291142
Apr 14 16:41:46 CSTConcentrator05 nw[2044]: [Recovery] [info] System recovery detected no problems.  Last known is 13291142 and last in database is 13291142
[snipped]
Apr 14 16:41:46 CSTConcentrator05 nw[2044]: [Aggregation] [info] Aggregation is starting
[snipped]
Apr 14 16:41:47 CSTConcentrator05 nw[2044]: [Engine] [info] Module concentrator successfully loaded
Apr 14 16:41:47 CSTConcentrator05 nw[2044]: [stats] [info] Database is open with 9 file(s) containing 7,637,411 objects with ID range 3,634,373 to 11,271,783
[snipped]
Apr 14 16:41:47 CSTConcentrator05 nw[2044]: [Rest] [info] REST service listening on port 50105


In this case, the reset index operation took only 5 minutes as noted by the "Estimated Time to Finish" entries abbreviated as EFT in the log entries.  
Once the reset was completed, the process logged "Index update completed in 00:03:27."
The Concentrator module is logged as loaded and final message indicates the REST service is listening on the expected port of 50105 for a Concentrator. 
 

 
NotesThis solution applies to the following core appliances.
 
RSA Security Analytics AppliancesRSA NetWitness NextGen Appliances
Packet DecoderPacket Decoder
Log DecoderLog Decoder
ConcentratorConcentrator
Packet HybridPacket Hybrid
Log HybridBroker
Broker 
 Packet All-In-One 
Log All-In-One 

Attachments

    Outcomes