000026506 - How to configure a scheduled database rollover in RSA NetWitness NextGen 9.x

Document created by RSA Customer Support Employee on Jan 11, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026506
Applies ToRSA NetWitness NextGen
RSA NetWitness NextGen 9.0 and above
RSA NetWitness Decoder
RSA NetWitness Log Decoder
RSA NetWitness Concentrator
RSA NetWitness Hybrid
RSA NetWitness Broker
IssueHow to configure a scheduled database rollover in RSA NetWitness NextGen 9.x.
Resolution

In some cases one or more database structures may end up holding more data than can be indexed by the others.


 


To alleviate this it may be necessary to set up a time roll of the data. The following steps will set up a scheduled time roll to overcome this.



1. In administrator double click on the decoder or concentrator under the Services frame to connect to the device. With the device selected enter Ctrl-E to open an Explorer view in a new tab.
2. In the explorer view expand the 'sys->config' folder. Under the 'config' folder will be another folder named 'scheduler'. Click on it to select it and then right click and select 'Properties'. This will open another frame below the list of scheduled events.
3. In the properties frame click the pull down menu and select 'addMil' for setting events which will occur at a specific time on given days of the week or 'addInter' for setting events which will occur at a specified interval.
4. In the parameters field you will enter the appropriate settings to schedule the timeroll. The following will cause a timeroll of data older than 21 days for session, chain, meta, and packet to occur every Wednesday at 13:25:00 local time:



For 9.0/9.5 -
time=13:25:00 daysOfWeek=wed pathname=/database msg=timeroll params="days=21 type=session,chain,packet,meta"
For 9.6/9.7 -
time=13:25:00 daysOfWeek=wed pathname=/database msg=timeroll params="days=21 type=session,packet,meta"
Note: It is required to use the double qoutes around the params string.



5. Click "Send" to add the new event to the schedule. It will appear in the schedule list in the frame above.



 


To delete a scheduled task:



1. Select "print" from the pull down menu and hit the Send button. Note the task ID for the task to be deleted.
2. Select "delSched" from the pull down menu and enter "id=X" in the Parameters field where X is the noted task ID from step 1. Hit the Send button to delete the task.



 


If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.

Legacy Article IDa58593

Attachments

    Outcomes