000029837 - Error message "tokumx dead but pid file exists" after rebuilding the ESA alert database in RSA NetWitness Platform

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Sep 2, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000029837
Applies ToRSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Event Stream Analysis (ESA)
RSA Version/Condition: 10.6.x
Platform: CentOS
IssueAfter rebuilding the ESA alert database on the ESA appliance, the tokumx service reports the following status:

[root@ESA  ~]# service tokumx status
tokumx dead but pid file exists

Once the /var/run/tokumx/tokumx.pid file is manually removed, the following status is reported:

[root@ESA  ~]# service tokumx status
tokumx dead but subsys locked
CauseThis issue occurs because the /opt/rsa/database directory and its contents were not created when the rsa-esa-server package was re-installed.
ResolutionIn order to resolve the issue, follow the steps below.
  1. Connect to the ESA appliance via SSH as the root user.
  2. If the tokumx.pid file still exists, remove it with the following command:  rm -f /var/run/tokumx/tokumx.pid
  3. Stop the ESA service:  service rsa-esa stop
  4. Stop the puppet service:  service puppet stop
  5. Revert the TokuMX configuration back to default:  cp /etc/tokumx.conf.orig /etc/tokumx.conf
  6. Uninstall the rsa-esa-server package:  yum remove rsa-esa-server
  7. Re-install the rsa-esa-server package:  yum install rsa-esa-server
  8. Start the ESA service:  service rsa-esa start
  9. Start the puppet service:  service puppet start
  10. Verify that the tokumx service is now running properly:  service tokumx status

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.