000026639 - How to access RSA NetWitness data after changing the appliance's hostname

Document created by RSA Customer Support Employee on Jul 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026639
Applies ToRSA NetWitness NextGen
RSA NetWitness Decoder
RSA NetWitness Log Decoder
RSA NetWitness Concentrator
RSA NetWitness Hybrid
RSA NetWitness Broker
RSA NetWitness Administrator
IssueHow to access NetWitness data after changing the appliance's hostname.
How do I get my data after changing the hostname of my NetWitness appliance?

A Decoder is known to its downstream Concentrators by its hostname.   If a Decoder's hostname is changed, the Decoder will appear to its Concentrator(s) to be a new Decoder.  Aggregation from the Decoder will thus be reset and cause all meta on the Decoder to be re-consumed. Due to this, any attempt to access packet data stored on the Decoder from Concentrator sessions that refer to the old Decoder ID (technically known as language key 'did' to the Concentrator) will fail, however the old meta will still be accessible from the Concentrator.


In RSA NetWitness NextGen, the parameter /sys/config/service.name.override was introduced so that one can change a Decoder's hostname, while allowing the packet data stored on the Decoder to remain accessible. This can be achieved as follows:


1.  Using NetWitness Administrator, toggle aggregation of the Decoder in question off in said Decoder's upstream Concentrator.

2.  Change the Decoder's hostname via the Decoder's Appliance Service in Administrator.  In the Stats view, select 'Appliance Tasks' button, then select 'Set Appliance Hostname' task from the dropdown to enter the <NEW decoder hostname>


3.  Connect to the Decoder service via explorer view in Administrator, enter the <OLD decoder hostname> in /sys/config/service.name.override field;

4.  Stop capture and restart the Decoder service in Administrator

5.  From the Concentrator service, toggle aggregation of the Decoder back on from the dropdown on the 'Stats' tab.


Rather than the appliance's OS hostname, the Decoder will now use the value stored in /sys/config/service.name.override to identify itself to the Concentrator, therefore the Concentrator will still be able to access the Decoder's packet data.  Any new meta aggregated from the Decoder will also use the service.name.override setting for 'did' meta.

NotesThe above steps can also be used to change a Concentrator or Broker's hostname to identify the proper ConcentratorID (cid) so aggregation from upsteam brokers will be preserved.
Legacy Article IDa58643