000026621 - How to perform a data reset on an RSA NetWitness concentrator or broker appliance

Document created by RSA Customer Support Employee on Jan 12, 2017Last modified by RSA Customer Support on Jan 7, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000026621
Applies ToRSA Product Set: NetWitness, Security Analytics
RSA Product/Service Type: NextGen
IssueHow to perform a data reset on an RSA NetWitness concentrator or broker appliance.
Resolution

A data reset may be necessary for any number of reasons including:



  • Corruption of the Concentrator's or Broker's index
  • Re-indexing values with new meta data
  • Removing all data on the device

Follow these steps in RSA NetWitness Administrator to perform a data reset on a Concentrator or a Broker:



  1. Stop aggregation by clicking the Stop Aggregation icon in the Stats view.
  2. Open the Logs view and wait for the Aggregation threads have completed message. It may take some time so please be patient.
  3. Open the Console view and type /concentrator reset data=1 in the command line and click Send.

From version 9.5.5.9 on, you will be required to enter a confirmation code before being able to proceed with a data reset.  This code will be displayed on the screen as soon as you issue the command.


This will cause the databases to be zeroed and the Concentrator or Broker service will be restarted automatically.

It will take some time for the index to rebuild but once complete you should have freshly aggregated/indexed data from your Decoder(s)/Concentrator(s) (assuming you have your Concentrator or Broker set to aggregate from one or more Decoders/Concentrators and have started aggregation either automatically or manually).
NotesIf, for any reason, you are unable to do a data reset via RSA NetWitness Administrator, please contact RSA Customer Support and reference knowledge base article 000026957.
Legacy Article IDa58713

Attachments

    Outcomes