000034030 - Packet Decoder RAID 0 reconfiguration for RSA Security Analytics

Document created by RSA Customer Support Employee on Sep 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000034030
Applies ToRSA Product Set: NetWitness Logs and Packets (formerly Security Analytics)
RSA Product/Service Type: Packet Decoder
RSA Version/Condition: 10.3.x, 10.4.x, 10.5.x, 10.6.x
Platform: CentOS
O/S Version: EL6
IssueSome Packet Decoders that were configured between March of 2015 and August of 2016 could contain one or multiple RAID 0 (stripped) configured decodersmall volume group(s). The volume group may contain the metadb, sessiondb, and index files for a packet decoder. In this configuration an issue can occur if one of the hard drives within the array fails as RAID 0 contains no redundancy or hot spares.
Some Symptoms of this Failure:
  • I/O error messages within /var/log/messages and dmsg related to the metadb, sessiondb and/or index files
  • The decoder stops capture unexpectedly or will not stay running when restarted
  • Running pvscan, vgscan or lvscan produces I/O error messages of devices being inaccessible
TasksThis article will outline the steps required to reconfigure a working Packet Decoder’s decodersmall volume group from a RAID 0 (stripped) configuration to a RAID 1 (mirrored) configuration.
ResolutionFollow the attached document to determine if your RSA NetWitness Packet Decoders are affected by this RAID 0 misconfiguration.
If your environment is affected, remember to download the accompanying script to fix this issue.
If there are any questions regarding any issues that appear while performing any of these steps, stop and contact RSA NetWitness Support at support@rsa.com.
Document: NW-Decoder-RAID-0-Reconfig-Script.pdf
Script: reconfig_raid0-1.sh.zip