000026931 - How to reconfigure and optimize RSA NetWitness NextGen 9.6.5.4 and above decoder and concentrator settings

Document created by RSA Customer Support Employee on Jan 12, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000026931
Applies ToRSA NetWitness NextGen
RSA NetWitness NextGen 9.6.5.4 and above
RSA NetWitness Decoder
RSA NetWitness Concentrator
IssueHow to reconfigure and optimize RSA NetWitness NextGen 9.6.5.4 and above decoder and concentrator settings.
ResolutionThe attached document describes how to reconfigure and optimize your NetWitness Decoder and Concentrator /database, /index/ and /decoder settings in versions 9.6.5.4 and higher.
Notes

Note 1: if you upgraded your decoder from 9.5 and still have chain db files in /var/netwitness/decoder/packetdb/ directory (filename start with chain...), then you need to wait until all of these old chain db files have been rolled out from this directory, prior running the 'reconfig' settings.


 


Note 2: The reconfig feature assumes that each database has its separate filesystem and is not shared with other databases. This can be confirmed with the df -h command output. For example, from df -h output below on a decoder appliance, the /var/netwitness/decoder/index filesystem is not present, that means that the index database is not configured as a separate filesystem on this decoder; and hence one should NOT run index reconfig command on this decoder, which can result in incorrect index database sizes:


 



> df -h
Filesystem                         Size Used Avail Use% Mounted on
......


/dev/mapper/decodersmall-root      9.9G 151M 9.2G  2%   /var/netwitness/concentrator
/dev/mapper/decodersmall-decoroot  9.9G 4.6G 4.9G  49%  /var/netwitness/decoder
/dev/mapper/decodersmall-metadb    3.4T 3.1T 347G  90%  /var/netwitness/decoder/metadb
/dev/mapper/decodersmall-sessiondb 250G 225G 26G   90%  /var/netwitness/decoder/sessiondb
/dev/mapper/decoder-packetdb       13T  11T  2.5T  81%  /var/netwitness/decoder/packetdb



 

Note 1: if you upgraded your decoder from 9.5 and still have chain db files in /var/netwitness/decoder/packetdb/ directory (filename start with chain...), then you need to wait until all of these old chain db files have been rolled out from this directory, prior running the 'reconfig' settings.


 


Note 2: The reconfig feature assumes that each database has its separate filesystem and is not shared with other databases. This can be confirmed with the df -h command output. For example, from df -h output below on a decoder appliance, the /var/netwitness/decoder/index filesystem is not present, that means that the index database is not configured as a separate filesystem on this decoder; and hence one should NOT run index reconfig command on this decoder, which can result in incorrect index database sizes:


 


> df -h
Filesystem                         Size Used Avail Use% Mounted on
......


/dev/mapper/decodersmall-root      9.9G 151M 9.2G  2%   /var/netwitness/concentrator
/dev/mapper/decodersmall-decoroot  9.9G 4.6G 4.9G  49%  /var/netwitness/decoder
/dev/mapper/decodersmall-metadb    3.4T 3.1T 347G  90%  /var/netwitness/decoder/metadb
/dev/mapper/decodersmall-sessiondb 250G 225G 26G   90%  /var/netwitness/decoder/sessiondb
/dev/mapper/decoder-packetdb       13T  11T  2.5T  81%  /var/netwitness/decoder/packetdb

Legacy Article IDa59784

Attachments

    Outcomes