|Applies To||RSA NetWitness NextGen|
RSA NetWitness NextGen 9.5 and above
RSA NetWitness Concentrator
RSA NetWitness Hybrid
RSA NetWitness Broker
RSA NetWitness Administrator
RSA NetWitness Investigator
|Issue||Unable to remove or re-add an RSA NetWitness concentrator to a broker.|
Connected to your Broker in RSA NetWitness Investigator, you may notice that a particular Concentrator is not being consumed by the Broker. You try to remove and re-add the Concentrator but you are presented with error messages similar to the following:
In order to resolve the issue, follow the steps below.
1. Within RSA NetWitness Administrator connect to the Broker and then click on the "Stats" tab and find the offending Concentrator. Note the hostname and/or IP.
2. Click the drop-down beside the Concentrator and click "Remove Device"
3. Click the "Stop Aggregation" button
4. Connect to the Broker via ssh and navigate to the following directory: /var/netwitness/broker/index and list the directory with "ll" <- double lower-case "L"
5. Files in this directory will begin with either the IP or hostname of connected Concentrators. Look for any files that begin with either the hostname or IP address of the Concentrator you removed in step 1.
6. If you find any files that begin with the IP or hostname of the already-removed Concentrator, stop the broker service by issuing the following command:
7. Delete any of these files with the "rm" command.
8. Start the Broker service by issuing the following command:
9. Connect back to the Broker with RSA NetWitness Administrator. On the "Stats" page you should now be able to add the previously-offending Concentrator back in. If you don't have aggregation set to start automatically on service start, you may start it now by clicking the "Start Aggregation" button
* To determine Linux version issue the following command: cat /etc/redhat-release
|Legacy Article ID||a58737|