000026600 - Merge script for new index keys in RSA NetWitness NextGen

Document created by RSA Customer Support Employee on Jan 10, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000026600
Applies ToRSA NetWitness NextGen
RSA NetWitness NextGen
IssueMerge script for new index keys in RSA NetWitness NextGen

*************Should be performed only after Appliance has been upgraded from 9.0.x.x to*************

With the new release of 9.5 there are new index keys. These keys are automatically added to freshly built 9.5 devices. However, it has been determined when upgrading from 9.0 to 9.5 it does not add these to the current indexes. We have developed a Perl script along with new template key files which are attached here. You will need to download the Perl script and index-*.xml files to your appliances in the /root directory.  The files may be downloaded from: ftp://v95:v95update321@download.netwitness.com/Server_Update/Index_Key_Update_Files/https://sftp.rsa.com/human.aspx?Username=v95&password=version95!&transaction=signon&quiet=true/r=910074231&Arg12=filelist&Arg06=776779397

Once everything is downloaded, SSH to the appliance as root and do the following:

1.    ?chmod +x MergeIndex.pl?

2.    ?./MergeIndex.pl /etc/netwitness/9.0/index-<service type>.xml? where <service type> is decoder, concentrator, or broker

NOTE: This needs to be run twice on a Hybrid, once for the decoder service and once for the concentrator service.

3.    If on a decoder, stop capture, otherwise stop aggregation on the device. Ensure capture or aggregation has been fully stopped by checking for ?Captured has stopped? or ?Aggregation threads have completed? in the log.

4.    Restart the service.



Legacy Article IDa58706