000014624 - Adding a new filesystem monitor to an RSA NetWitness appliance via the Appliance Tasks causes service restart and doesn't appear in dashboard

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014624
Applies ToRSA NetWitness NextGen
RSA NetWitness NextGen 9.5.5.9
RSA NetWitness Decoder
RSA NetWitness Log Decoder
RSA NetWitness Concentrator
RSA NetWitness Hybrid
RSA NetWitness Broker
IssueAdding a new filesystem monitor to an RSA NetWitness appliance via the Appliance Tasks causes service restart and doesn't appear in dashboard.
CauseThere is known bug in NextGen 9.5.5.9 that will cause the Appliance service to restart when attempting to add a filesystem monitor via Appliance Tasks for a path that is already monitored.  The duplicate entries will also prevent the filesystem monitor from appearing in the appliance dashboard on the Stats page.
ResolutionTo resolve this issue, users would need to follow the below steps to verify duplicate filesystem monitor entries, manually remove all non-default filesystem monitors, and re-add them to the appliance dashboard.

1. Right click on the Appliance Service for the noted device in Administrator and choose Explorer.
2. Navigate to /appliance/stats/filesystem within Explorer
3. Validate that there are duplicate entries for a filesystem
4. SSH to the device and stop the Appliance Service: monit stop nwappliance
5. vi /etc/netwitness/9.0/NwAppliance.cfg and remove any non-default filesystem monitor entries (Default = 1-7) located near the top of the NwAppliance.cfg file.
dd can be used to delete the current line with vi. Be sure to save the modified file.

Example:
<folder instance="folder" name="appliance" prettyName="appliance">
                <folder instance="folder" name="config" prettyName="config">
                        <config getRoles="appliance.manage" instance="config" maxLength="255" name="display.port" prettyName="Display Port" setRoles="appliance.manage" value="/dev/ttyS1"/>
                </folder>
                <folder instance="folder" name="stats" prettyName="stats">
                        <folder instance="folder" name="filesystem" prettyName="filesystem">
                                <config getRoles="appliance.manage" instance="config" maxLength="255" name="0" prettyName="/" setRoles="appliance.manage" value="/"/>
                                <config getRoles="appliance.manage" instance="config" maxLength="255" name="1" prettyName="/var" setRoles="appliance.manage" value="/var"/>
                                <config getRoles="appliance.manage" instance="config" maxLength="255" name="2" prettyName="/boot" setRoles="appliance.manage" value="/boot"/>
                                <config getRoles="appliance.manage" instance="config" maxLength="255" name="3" prettyName="/var/netwitness" setRoles="appliance.manage" value="/var/netwitness"/>
                                <config getRoles="appliance.manage" instance="config" maxLength="255" name="4" prettyName="/var/netwitness/decoder" setRoles="appliance.manage" value="/var/netwitness/decoder"/>
                                <config getRoles="appliance.manage" instance="config" maxLength="255" name="5" prettyName="/var/netwitness/decoder/packetdb" setRoles="appliance.manage" value="/var/netwitness/decoder/packetdb"/>
                                <config getRoles="appliance.manage" instance="config" maxLength="255" name="6" prettyName="/var/netwitness/decoder/metadb" setRoles="appliance.manage" value="/var/netwitness/decoder/metadb"/>
                                <config getRoles="appliance.manage" instance="config" maxLength="255" name="7" prettyName="/var/netwitness/decoder/sessiondb" setRoles="appliance.manage" value="/var/netwitness/decoder/sessiondb"/>
**REMOVE**             <config getRoles="appliance.manage" instance="config" maxLength="255" name="8" prettyName="/var/netwitness/decoder0/packetdb" setRoles="appliance.manage" value="/var/netwitness/decoder0/packetdb"/>
**REMOVE**             <config getRoles="appliance.manage" instance="config" maxLength="255" name="9" prettyName="/var/netwitness/decoder0/packetdb" setRoles="appliance.manage" value="/var/netwitness/decoder0/packetdb"/>
                        </folder>
                </folder>
        </folder>

6. Start the Appliance Service: monit start nwappliance
7. Re-add the filesystem monitors for any filesystems/JBODs via Administrator. Once they've been re-added, you'll need to click on a different tab and then back to Stats to see the updated Dashboard.

If you have any questions or would like assistance performing this procedure, please feel free to contact RSA Support by opening a Case within the Self-Service Portal.
Legacy Article IDa58605

Attachments

    Outcomes