Article Content
Article Number | 000035238 |
Applies To | RSA Product Set: Security Analytics, NetWitness Logs and Packets RSA Version/Condition: 10.4.x, 10.5.x, 10.6.x Product Description: RSA NetWitness servers hosting the nwipdbextractor service such as RSA NetWitness Server Head Unit & RSA NetWitness All In One (AIO) appliances |
Issue | Recurring IPDB Extractor Error Messages in RSA Security Analytics even though the IPDB Extractor is not being used. The /var/log/messages file may produce recurring error messages similar to the following: [ipdbextractorinit] [failure] Failed to read dir file from location /var/netwitness/ipdbextractor/devicelocation/global/local/directory Note: If there is no RSA enVIsion IPDB present in the environment, then you can safely uninstall this service to provide greater resources to the RSA Security Analytics server. This is particularly useful on AIO appliances. |
Resolution | The following line temporarily prevents collectd and the nwipdbextractor services from being restarted by automatic puppet agent runs # service puppet stop # service collectd stop Show classes # echo 'db.nodes.find({"node":"'$(/etc/puppet/scripts/node_id.py)'"})' | mongo puppet Assuming services shown under classes are: "classes" : { "reporting-engine" : "", "saserver" : "", "appliance" : "", "broker" : "", "ipdbextractor" : "", "incident-management" : "", "malware-analysis-colo" : "", "concentrator" : "", "logdecoder" : "", "logcollector" : "", "base" : "" } Note: On a non AIO you typically don't see concentrator, decoder, logdecoder or logcollector services. The next line is necessary as addService.py checks for puppet agent status # puppet agent --noop --daemonize Based on the above classes, the command would be: # /etc/puppet/scripts/addService.py $(/etc/puppet/scripts/node_id.py) reporting-engine,saserver,appliance,broker,incident-management,malware-analysis-colo,concentrator,logdecoder,logcollector,base The following command will restart collectd as well: # service puppet restart |