000029837 - Error message "tokumx dead but pid file exists" after rebuilding the ESA alert database in RSA Security Analytics 10.4

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029837
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Event Stream Analysis (ESA)
RSA Version/Condition: 10.4.x
Platform: CentOS
IssueAfter rebuilding the ESA alert database on the ESA appliance, the tokumx service reports the following status:
[root@ESA  ~]# service tokumx status
tokumx dead but pid file exists

Once the /var/run/tokumx/tokumx.pid file is manually removed, the following status is reported:
[root@ESA  ~]# service tokumx status
tokumx dead but subsys locked
CauseThis issue occurs because the /opt/rsa/database directory and its contents were not created when the rsa-esa-server package was re-installed.
ResolutionIn order to resolve the issue, follow the steps below.
  1. Connect to the ESA appliance via SSH as the root user.
  2. If the tokumx.pid file still exists, remove it with the following command:  rm -f /var/run/tokumx/tokumx.pid
  3. Stop the ESA service:  service rsa-esa stop
  4. Stop the puppet service:  service puppet stop
  5. Revert the TokuMX configuration back to default:  cp /etc/tokumx.conf.orig /etc/tokumx.conf
  6. Uninstall the rsa-esa-server package:  yum remove rsa-esa-server
  7. Re-install the rsa-esa-server package:  yum install rsa-esa-server
  8. Start the ESA service:  service rsa-esa start
  9. Start the puppet service:  service puppet start
  10. Verify that the tokumx service is now running properly:  service tokumx status
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.