000012077 - Using monit or upstart to stop or restart services on an RSA NetWitness appliance will forcibly kill the services and flush the database

Document created by RSA Customer Support Employee on Jan 10, 2017Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000012077
Applies ToRSA NetWitness NextGen
RSA NetWitness NextGen 9.8.5.9
RSA NetWitness NextGen 9.7 and below
RSA NetWitness Decoder
RSA NetWitness Concentrator
RSA NetWitness Hybrid
RSA NetWitness Broker
Issue

Using monit or upstart to stop or restart services on an RSA NetWitness appliance will forcibly kill the services and flush the database.

Forcibly killing the NetWitness services and flushing the database will cause it to drop all current data in the assembler and cause corrupt .nwdb files.

Resolution

To resolve the issue, follow the instructions below to edit the start/stop scripts in the /etc/init.d directory to allow the appliance up to 60 seconds to flush the database files.

Follow these steps via SSH to the RSA NetWitness Appliance to apply the fix to the stop/start/restart scripts for the appliance:

 

monit (CentOS 5.x):

cd /etc/init.d

edit the appropriate script (such as nwdecoder or nwconcentrator)

find the stop() function, which looks like this:

 

stop() {

        echo -n "Shutting down nwconcentrator: "

        killproc "/usr/sbin/NwConcentrator"

        echo ""

        local result=$?

        rm -f /var/lock/subsys/nwconcentrator

        return $result

}

 

Modify the killproc line to this:

 

        killproc ?d 60 "/usr/sbin/NwConcentrator"

 


  

upstart (CentOS 6.x/Fedora):

cd /etc/init

edit the appropriate script (like nwdecoder.conf)

On the line before ?exec /usr/sbin/NwDecoder ?stopwhenready?

Add this:

kill timeout 60

 

So the final script should look something like this:

 

start on runlevel [3]

stop on runlevel [!3]

respawn

respawn limit 10 300

console output

chdir /var/netwitness/decoder/packetdb

limit core unlimited unlimited

kill timeout 60

exec /usr/sbin/NwDecoder --stopwhenready

expect stop

 

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.

NotesMaking backups of the scripts before making any changes is good practice.
Legacy Article IDa60888

Attachments

    Outcomes