000026252 - Data recovery options in RSA NetWitness NextGen 8.5 and 8.6

Document created by RSA Customer Support Employee on Jan 10, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026252
Applies ToRSA NetWitness NextGen
RSA NetWitness NextGen 8.5
RSA NetWitness NextGen 8.6
RSA NetWitness Decoder
RSA NetWitness Concentrator
IssueData recovery options in RSA NetWitness NextGen 8.5 and 8.6.
Resolution

In the data recovery theme it all depends on what was corrupted. On a decoder if something is corrupted, you are usually stuck with blowing away the entire database. A concentrator issue tends to have a few more options.

Some reasons for data recovery are as follows:

  • Index corruption
    Usually seen by messages in the concentrator.log, defragmentation issues, decoders not being able to have data processed, improper shutdown.
  • New index-concentrator.xml
    When values change, the index is only affected from the point the values were put in place and forwards. Having your index use different values for indexing can become a small nightmare if large changes were put in place between file versions. This is especially true if values were made smaller or removed/added.

 

1. Data reset ? removes all data from concentrator. It will be up and available to log into via Investigator but processing data from the beginning of the time frame the decoders have on their systems, ie you may be a couple of days behind on consumption while it catches up since it will start processing from the first data (ex: Nov 30th). this can make for a large number of unconsumed sessions.

Option: We can set the concentrator to only look to consume and process the last few days worth of data (from Dec 10 onwards for example) ? this will be a faster uptime but you will lose some historical data. Data is still available on the decoders in case we need to go back further but for speed of recovery, the smaller the time window the faster the system will be back up. *This tends to be the most popular choice.*

How to: Log into concentrator via administrator. On the concentrator tab you should have advanced settings. We?re looking for the Hours Back option and we want to set that to 12 (for 12 hours back from now). Hit ok

1. stop aggregation on the concentrator
2. ssh into the concentrator and run
touch /home/NetWitness/.noreboot
service concentrator stop

3. wait for the concentrator service to fully stop ? you can verify this by opening another ssh window and running
tail ?f /home/NetWitness/Recent/concentrator.log
4. verify the concentrator service is completely down then run the following commands
NwDataReset concentrator
rm /home/NetWitness/.noreboot
--file may not exist
service concentrator start

Wait for the system to come up and then verify that consumption has restarted.




2. Reindex ? no data loss but system will be inaccessible via Investigator/Administrator on port 5005 while this is ongoing ? can be up to 5 days (depending on amount of data currently in system) ? I almost always recommend starting this on friday
Data will queue up in the decoders while this is going on but we will not be losing any data. This is a good choice especially if the concentrator is aggregating up to a master concentrator.

The steps would be as follows:
1. stop aggregation on the concentrator
2. ssh into the concentrator and run
service concentrator stop
3. wait for the concentrator service to fully stop ? you can verify this by opening another ssh window and running
tail ?f /home/NetWitness/Recent/concentrator.log
4. verify the concentrator service is complete down then run the following commands
cd /home/NetWitness/concentrator/Databases/
rm ?rf *

**note ? ensure you are in the proper directory before running the rm command as this can have serious negative impacts on the system if performed in the wrong directory!! **
5. once deletion has completed ? restart concentrator service
service concentrator start
6. The system will come up but will NOT be accessible via Administrator console while the reindex is taking place. To check status you can tail the end of the concentrator log to see how many sessions have been reprocessed.

Legacy Article IDa58543

Attachments

    Outcomes