000026806 - How to perform a data reset on an RSA NetWitness Platform decoder

Document created by RSA Customer Support Employee on Jan 12, 2017Last modified by RSA Customer Support on Sep 26, 2019
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000026806
Applies ToRSA Product Set: NetWitness Logs & Network, Security Analytics
RSA Product/Service Type: Security Analytics UI, Decoder
RSA Version/Condition: 10.6.x
Platform: CentOS
O/S Version: EL6
IssuePerforming a data reset on an RSA NetWitness Decoder.

It may be necessary to perform a data reset on a decoder for any number of reasons including:

  • Corruption on databases (in addition to the Index, which can easily be reset itself without data reset)
  • Removing all data on the device

Follow these steps in the RSA Security Analytics UI to perform a data reset on a Decoder:

  1. Navigate to Admin > Services > Decoder > View > System.
  2. On the Decoder's System page, press the "Stop Capture" button to stop capture - it may take some time for the "Capture has stopped" message to appear.
  3. Navigate to Admin > Services > the upstream Concentrator > View > Config > General tab.
  4. Under "Aggregate Services," remove the Decoder from the Concentrator by selecting it and pressing the minus (-) button in the options just below the words "Aggregate Services."
  5. Navigate to Admin > Services > Decoder from Step 1 > Explore.
  6. Right-click the "decoder" directory and click on the "Properties" option.
  7. In the drop-down menu, choose "reset", type "data=1" in the parameters, and click Send. The output will provide you with a verification value that you will have to type after the existing parameters ("data=1") and then click Send once more.
    • For example: "data=1 verify=1234567890"
  8. This will cause all databases to be zeroed and the Decoder service will be restarted automatically.  If there is a lot of data on the Decoder, it may be a minute or two while the system deletes the database files.
  9. Once you can connect back to the Decoder using the RSA Security Analytics UI, you can also add the Decoder back into the upstream Concentrator.

If, for any reason, you are unable to do a data reset via the RSA Security Analytics UI, please contact RSA Customer Support and reference knowledge base article 000026957.

Legacy Article IDa58729