000026507 - How to preserve old RSA NetWitness concentrator or broker meta data if you need to replace it with a new one

Document created by RSA Customer Support Employee on Jan 10, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026507
Applies ToRSA NetWitness NextGen
RSA NetWitness Concentrator
RSA NetWitness Broker
IssueHow to preserve old RSA NetWitness concentrator or broker meta data if you need to replace it with a new one.
Resolution

There are 2 ways to perform this, each has its pros and cons:


Method 1:
Connect the new concentrator and consume everything from the old concentrator.
Pros:
1) Fast.
Cons:
1) Consuming from the old concentrator and also consuming from the same decoders, session duplication will occur.  It will only be a concern initially, as eventually the duplicated data will roll out.
2) Once the old concentrator goes offline, it will not be possible to
grab packets via the decoders. Those sessions that came from the old concentrator will try to route the request thru a device that no longer exists.



Method 2:
Copy all files (include session/meta database and meta index files) from old concentrator's /var/netwitness/concentrator/sessiondb and /var/netwitenss/concentrator/metadb directories to the new concentrator (into the same directories).   Then start the concentrator service, which will rebuild the /var/netwitness/concentrator/index directory files naturally. It should be operational and ready to accept devices to aggregate from once index rebuild is finished.
Pros:
1) Copying the session and meta databases avoids issues such as session duplication and not being able to retrieve old decoder data.
Cons:
1) It might take hours/days to finish copying and bring the new concentrator online.
2) The new concentrator should not be running while the index is rebuilding. You can not consume any new data until the index is rebuilt.

Legacy Article IDa58589

Attachments

    Outcomes