000033374 - RSA Security Analytics - Unable to add a DAC to the Security Analytics Warehouse (SAW) node

Document created by RSA Customer Support Employee on Jul 3, 2016Last modified by RSA Customer Support on Apr 17, 2019
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000033374
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics Data Warehouse
RSA Version/Condition: 10.4.X, 10.5.X, 10.6.X
Platform: CentOS
O/S Version: 6
 
IssueWhen a DAC has to be added to the SAW node, running the NwArrayConfig.py script results in the following errors:

In RSA Security Analytics version 10.4.X:

[root@WAREHOUSE4 arrayCfg]# ./NwArrayConfig.py --action add --service saw
Failed!: SAW appliances do not support extending storage.



 

In RSA Security Analytics version 10.5.X and above:


[root@WAREHOUSE4 saTools]# ./NwArrayConfig.py
Failed!: The service type mapr is not one of the services supported for external storage configuration

 



 
CauseThis is due to the "saw" service details missing in the /opt/rsa/saTools/appliance/RAID/arrayDefs.py script.
ResolutionThe /opt/rsa/saTools/appliance/RAID/arrayDefs.py script will be updated with the "saw" service details in RSA NetWitness version 11.0.
Workaround

To add a DAC to the SAW server, follow the steps below:



  1. Log in to the SSH session of the SAW server as an administrator.
  2. In RSA Security Analytics versions 10.5.0.0 and above, the rsa-sa-tools package is available by default.

    However, RSA Security Analytics version 10.4.x requires that this package be installed manually.

    Note: The rsa-sa-tools-10.5.0.0.44-1.el6.noarch package is attached to this article for installing on version 10.4.X. Upload it to the SAW server using WinSCP and install it using the command below:




    # yum install rsa-sa-tools-10.5.0.0.44-1.el6.noarch


     


  3. Use the commands below to edit the arrayDefs.py file.

    # cd /opt/rsa/saTools/appliance/RAID/

    # vi arrayDefs.py

  4. When editing the file: 
    Change the line below 
    from:

    NwStrgSrvcs = ['decoder', 'logdecoder', 'concentrator', 'archiver', 'hybrid']

    to:


    NwStrgSrvcs = ['decoder', 'logdecoder', 'concentrator', 'archiver', 'hybrid', 'saw']

     


    Change the section below
    from:




    # Function which returns a list of DBs and a list of services for appliance type.

    def get_srvc():
        global ApplType, MySrvcLst, theDbDir, SsnRto
        MySrvcLst = []
        theDbDir = []
        theDecoder = ''
        theRslt = GetResp("/bin/rpm -qa|egrep "
                          "'(saw|mapr-emc|concentrator|(log)*decoder(10g)*|archiver|esa-server)-[0-9]'")[0].strip().split()
        theSrvcs = findall('(saw|mapr|(?:log)*decoder|concentrator|archiver|esa-server)',lst2str(theRslt))
        debug('theSrvcs: %s' % theSrvcs)
        getDcdrTyp = search('((?:log)*decoder(?:10g)*)',lst2str(theSrvcs))
        if getDcdrTyp:
            theDecoder = getDcdrTyp.group(1)
        if 'archiver' in theSrvcs:
            MySrvcLst.append('archiver')
            theDbDir.append('database')
        if 'concentrator' in theSrvcs:
            MySrvcLst.append('concentrator')
            theDbDir.append('metadb')
        if 'logdecoder' in theSrvcs or 'decoder' in theSrvcs:
            MySrvcLst.append('%s' % theDecoder)
            theDbDir.append('packetdb')
        if 'saw' in theSrvcs or 'mapr' in theSrvcs:
            MySrvcLst.append('saw')
        if len(theSrvcs) == 2 and 'concentrator' in theSrvcs and ('logdecoder' in theSrvcs or 'decoder' in theSrvcs):
            ApplType = 'hybrid'
        elif len(theSrvcs) == 1:
            ApplType = theSrvcs[0]
        else:
            ApplType = ''
        info('Service set to "%s"' % ApplType)
        return theSrvcs


    to:

    # Function which returns a list of DBs and a list of services for appliance type.

    def get_srvc():
        global ApplType, MySrvcLst, theDbDir, SsnRto
        MySrvcLst = []
        theDbDir = []
        theDecoder = ''
        theRslt = GetResp("/bin/rpm -qa|egrep "
                          "'(saw|mapr-emc|concentrator|(log)*decoder(10g)*|archiver|esa-server)-[0-9]'")[0].strip().split()
        theSrvcs = findall('(saw|mapr|(?:log)*decoder|concentrator|archiver|esa-server)',lst2str(theRslt))
        debug('theSrvcs: %s' % theSrvcs)
        getDcdrTyp = search('((?:log)*decoder(?:10g)*)',lst2str(theSrvcs))
        if getDcdrTyp:
            theDecoder = getDcdrTyp.group(1)
        if 'archiver' in theSrvcs:
            MySrvcLst.append('archiver')
            theDbDir.append('database')
        if 'concentrator' in theSrvcs:
            MySrvcLst.append('concentrator')
            theDbDir.append('metadb')
        if 'logdecoder' in theSrvcs or 'decoder' in theSrvcs:
            MySrvcLst.append('%s' % theDecoder)
            theDbDir.append('packetdb')
        if 'saw' in theSrvcs or 'mapr' in theSrvcs:
            MySrvcLst.append('saw')
        if len(theSrvcs) == 2 and 'concentrator' in theSrvcs and ('logdecoder' in theSrvcs or 'decoder' in theSrvcs):
            ApplType = 'hybrid'
        elif len(theSrvcs) == 1:
            ApplType = theSrvcs[0]
            ApplType = 'saw' if ApplType == 'mapr' else ApplType
        info('Service set to "%s"' % ApplType)
        return theSrvcs

  5. Save the file by pressing the "ESC" key and then typing: wq! on the keyboard.
  6. Run the following command to add the DAC.

    ./NwArrayConfig.py

  7. Verify the lsblk command output to see the newly added disks from the DAC addition.

Attachments

Outcomes