000026806 - How to perform a data reset on an RSA NetWitness decoder

Document created by RSA Customer Support Employee on Jan 12, 2017Last modified by RSA Customer Support on Jan 7, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000026806
Applies ToRSA Product Set: NetWitness, Security Analytics
RSA Product/Service Type: NextGen
IssueHow to perform a data reset on an RSA NetWitness decoder.

It may be necessary to perform a data reset on a decoder for any number of reasons including:

  • Corruption on databases (in addition to the Index, which can easily be reset itself without data reset)
  • Removing all data on the device

Follow these steps in NetWitness Administrator to perform a data reset on a Decoder:

  1. On the Decoder, stop Capture by clicking the Stop Capture icon in the Stats view.
  2. Open the Logs view and wait for the Capture has stopped message. It may take some time so please be patient.
  3. On the upstream Concentrator, remove the Decoder on the Concentrator's Stats view by finding the Decoder, clicking its drop-down menu and selecting Remove device.
  4. Back on the Decoder, open the Console view and type /decoder reset data=1 in the command line and click Send.
  5. This will cause all databases to be zeroed and the Decoder service will be restarted automatically.  If there is a lot of data on the Decoder it may be a minute or two while the system deletes the database files.
  6. Once you can connect back to the Decoder using Administrator, you can also add the Decoder back into an upstream Concentrator.

If, for any reason, you are unable to do a data reset via RSA NetWitness Administrator, please contact RSA Customer Support and reference knowledge base article 000026957.

Legacy Article IDa58729