|Applies To||RSA NetWitness NextGen|
RSA NetWitness NextGen 126.96.36.199
RSA NetWitness NextGen 9.7 and below
RSA NetWitness Decoder
RSA NetWitness Concentrator
RSA NetWitness Hybrid
RSA NetWitness Broker
Using monit or upstart to stop or restart services on an RSA NetWitness appliance will forcibly kill the services and flush the database.
Forcibly killing the NetWitness services and flushing the database will cause it to drop all current data in the assembler and cause corrupt .nwdb files.
To resolve the issue, follow the instructions below to edit the start/stop scripts in the /etc/init.d directory to allow the appliance up to 60 seconds to flush the database files.
Follow these steps via SSH to the RSA NetWitness Appliance to apply the fix to the stop/start/restart scripts for the appliance:
monit (CentOS 5.x):
edit the appropriate script (such as nwdecoder or nwconcentrator)
find the stop() function, which looks like this:
echo -n "Shutting down nwconcentrator: "
rm -f /var/lock/subsys/nwconcentrator
Modify the killproc line to this:
killproc ?d 60 "/usr/sbin/NwConcentrator"
upstart (CentOS 6.x/Fedora):
edit the appropriate script (like nwdecoder.conf)
On the line before ?exec /usr/sbin/NwDecoder ?stopwhenready?
kill timeout 60
So the final script should look something like this:
start on runlevel 
stop on runlevel [!3]
respawn limit 10 300
limit core unlimited unlimited
kill timeout 60
exec /usr/sbin/NwDecoder --stopwhenready
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.
|Notes||Making backups of the scripts before making any changes is good practice.|
|Legacy Article ID||a60888|