Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000035238 - How to remove the nwipdbextractor service from an RSA Security Analytics server running version 10.4.x or later

Document created by RSA Customer Support

on Jun 10, 2017

Version 1Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000035238
Applies To	RSA Product Set: Security Analytics, NetWitness Logs and Packets RSA Version/Condition: 10.4.x, 10.5.x, 10.6.x Product Description: RSA NetWitness servers hosting the nwipdbextractor service such as RSA NetWitness Server Head Unit & RSA NetWitness All In One (AIO) appliances
Issue	Recurring IPDB Extractor Error Messages in RSA Security Analytics even though the IPDB Extractor is not being used. The /var/log/messages file may produce recurring error messages similar to the following: [ipdbextractorinit] [failure] Failed to read dir file from location /var/netwitness/ipdbextractor/devicelocation/global/local/directory [ipdbextractorinit] [failure] Ensure that the .dir file exists in the path as mentioned in the config"Mount point of the .dir file". Extractor will retry reading the .dir file after 1 minute. Note: If there is no RSA enVIsion IPDB present in the environment, then you can safely uninstall this service to provide greater resources to the RSA Security Analytics server. This is particularly useful on AIO appliances.
Resolution	The following line temporarily prevents collectd and the nwipdbextractor services from being restarted by automatic puppet agent runs # service puppet stop # service collectd stop # stop nwipdbextractor # yum remove nwipdbextractor # mv /etc/init/nwipdbextractor.conf /etc/init/nwipdbextractor.conf.disabled # mv /etc/collectd.d/NwIPDBExtractor.conf /etc/collectd.d/NwIPDBExtractor.conf.disabled # find /etc/netwitness/ng -name 'NwIpdbextractor.cfg' -type f -exec mv {} {}.disabled \; # cp /etc/puppet/modules/ipdbextractor/manifests/init.pp /etc/puppet/modules/ipdbextractor/manifests/init.pp.bak # sed -ri 's/installed/absent/' /etc/puppet/modules/ipdbextractor/manifests/init.pp Show classes # echo 'db.nodes.find({"node":"'$(/etc/puppet/scripts/node_id.py)'"})' \| mongo puppet Assuming services shown under classes are: "classes" : { "reporting-engine" : "", "saserver" : "", "appliance" : "", "broker" : "", "ipdbextractor" : "", "incident-management" : "", "malware-analysis-colo" : "", "concentrator" : "", "logdecoder" : "", "logcollector" : "", "base" : "" } Note: On a non AIO you typically don't see concentrator, decoder, logdecoder or logcollector services. The next line is necessary as addService.py checks for puppet agent status # puppet agent --noop --daemonize Based on the above classes, the command would be: # /etc/puppet/scripts/addService.py $(/etc/puppet/scripts/node_id.py) reporting-engine,saserver,appliance,broker,incident-management,malware-analysis-colo,concentrator,logdecoder,logcollector,base The following command will restart collectd as well: # service puppet restart

Attachments

Outcomes

0 Comments

Incoming Links