000035238 - How to remove the nwipdbextractor service from an RSA Security Analytics server running version 10.4.x or later

Document created by RSA Customer Support Employee on Jun 10, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035238
Applies ToRSA Product Set: Security Analytics, NetWitness Logs and Packets
RSA Version/Condition: 10.4.x, 10.5.x, 10.6.x
Product Description: RSA NetWitness servers hosting the nwipdbextractor service such as RSA NetWitness Server Head Unit & RSA NetWitness All In One (AIO) appliances
IssueRecurring IPDB Extractor Error Messages in RSA Security Analytics even though the IPDB Extractor is not being used.
The /var/log/messages file may produce recurring error messages similar to the following:
[ipdbextractorinit] [failure] Failed to read dir file from location /var/netwitness/ipdbextractor/devicelocation/global/local/directory
[ipdbextractorinit] [failure] Ensure that the .dir file exists in the path as mentioned in the config"Mount point of the .dir file". Extractor will retry reading the .dir file after 1 minute.

Note: If there is no RSA enVIsion IPDB present in the environment, then you can safely uninstall this service to provide greater resources to the RSA Security Analytics server.  This is particularly useful on AIO appliances.
The following line temporarily prevents collectd and the nwipdbextractor services from being restarted by automatic puppet agent runs
# service puppet stop

# service collectd stop
# stop nwipdbextractor
# yum remove nwipdbextractor
# mv /etc/init/nwipdbextractor.conf /etc/init/nwipdbextractor.conf.disabled
# mv /etc/collectd.d/NwIPDBExtractor.conf /etc/collectd.d/NwIPDBExtractor.conf.disabled
# find /etc/netwitness/ng -name 'NwIpdbextractor.cfg' -type f -exec mv {} {}.disabled \;
# cp /etc/puppet/modules/ipdbextractor/manifests/init.pp /etc/puppet/modules/ipdbextractor/manifests/init.pp.bak
# sed -ri 's/installed/absent/' /etc/puppet/modules/ipdbextractor/manifests/init.pp

Show classes
# echo 'db.nodes.find({"node":"'$(/etc/puppet/scripts/node_id.py)'"})' | mongo puppet

Assuming services shown under classes are:
"classes" : { "reporting-engine" : "", "saserver" : "", "appliance" : "", "broker" : "", "ipdbextractor" : "", "incident-management" : "", "malware-analysis-colo" : "", "concentrator" : "", "logdecoder" : "", "logcollector" : "", "base" : "" }

Note: On a non AIO you typically don't see concentrator, decoder, logdecoder or logcollector services.
The next line is necessary as addService.py checks for puppet agent status
# puppet agent --noop --daemonize

Based on the above classes, the command would be:
# /etc/puppet/scripts/addService.py $(/etc/puppet/scripts/node_id.py) reporting-engine,saserver,appliance,broker,incident-management,malware-analysis-colo,concentrator,logdecoder,logcollector,base

The following command will restart collectd as well:
# service puppet restart