000035277 - How to decommission a single service from a node (including the removal from MongoDB) in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 17, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035277
Applies ToRSA Product Set: Security Analytics, NetWitness Logs and Packets
RSA Product/Service Type: Archiver, Broker, Concentrator, Event Stream Analysis, Incident Management, IPDB Extractor, Log Collector, Log Decoder, Malware Analysis, Packet Decoder, Reporting Engine
RSA Version/Condition: 10.4.x, 10.5.x, 10.6.x
Platform: CentOS
Platform (Other): Puppet, MongoDB
O/S Version: EL6
 
TasksThis article will explain how to remove a service from a node, being the logcollector service in this example.
This is very similar to the article entitled How to remove the nwipdbextractor service from an RSA Security Analytics server running version 10.4.x or later, except the service to be removed may be a different node from the RSA Security Analytics server.
On the Node you are Removing the Service:
1. Either SSH or use a Console (such as iDRAC console) to connect to node you are removing the service
2. Obtain the puppet node_id
To display the services listed in the mongoDB puppet database for a node:
On that Node, obtain the node_id
/etc/puppet/scripts/node_id.py

Example Output:
# /etc/puppet/scripts/node_id.py
b93bdb62-b0e4-4141-a03b-dac803da73a7

 
3. Stop puppet
service puppet stop

4. Stop collectd
service collectd stop

5. Uninstall service
Example:
yum remove nwlogcollector

6. Remove the collectd recipe
Example:
mv /etc/collectd.d/NwLogCollector.conf /etc/collectd.d/NwLogCollector.conf.disabled

7. For services in upstart (located in /etc/init), you may need to remove conf service file if yum command did not remove.
Example:
mv /etc/init/nwlogcollector.conf /etc/init/nwlogcollector.conf.disabled

8. Start puppet agent in a mode which does not restart services (to avoid re-obtaining puppet recipe for service we are removing)
puppet agent --noop --daemonize

On the NetWitness Head Unit Server which hosts the puppet MongoDB
9. Either SSH or use a Console to connect to the NetWitness Head Unit Server
10. Display nodes' services:
To display a particular nodes' services:
Syntax showing only the _id, node and classes fields:
> db.nodes.find({ "node":"<node_id>" },{ "classes":1, "node":1 })

Example output:
# mongo puppet
TokuMX mongo shell v1.4.2-mongodb-2.4.10
connecting to: puppet
> db.nodes.find({ "node":"b93bdb62-b0e4-4141-a03b-dac803da73a7" },{ "classes":1, "node":1 })
{ "_id" : ObjectId("58da3174a76fc4cb0a000000"), "node" : "b93bdb62-b0e4-4141-a03b-dac803da73a7", "classes" : { "concentrator" : "", "base" : "", "appliance" : "", "logcollector" : "", "logdecoder" : "" } }

11. Based on the above classes, the command would be the following (removing logcollector in this example):
Syntax:
/etc/puppet/scripts/addService.py <node_id> <remaining_services>

Based on the above classes, the command would be the following (removing logcollector in this example):
/etc/puppet/scripts/addService.py b93bdb62-b0e4-4141-a03b-dac803da73a7 concentrator,base,appliance,logdecoder

Within the Security Analytics Web UI:
12. Remove service from Administration \ Services using the '-' button.
On the Node you have Removed the Service:
13. On the node restart puppet (which will automatically trigger the equivalent of puppet agent -t which will also restart the collectd service)
service puppet restart

14. Check if any entries need to be removed from /etc/logrotate.conf
 
NotesOn the NetWitness Head Unit server, display services listed for this node in the puppet MongoDB:
# mongo puppet

To display all nodes:
> db.nodes.find()

Note: If there is more than one page of output you may see the following, entering it and pressing enter will display output one page at a time.
> Type "it" for more

Alternatively you can change the number of records the cursor returns (in this case 100)
> DBQuery.shellBatchSize = 100

To display a particular nodes' services:
Syntax:
> db.nodes.find({ "node":"<node_id>" })

Example output:
# mongo puppet
TokuMX mongo shell v1.4.2-mongodb-2.4.10
connecting to: puppet
> db.nodes.find({ "node":"b93bdb62-b0e4-4141-a03b-dac803da73a7" })
{ "_id" : ObjectId("58da3174a76fc4cb0a000000"), "_class" : "com.rsa.smc.sa.admin.management.domain.bean.Nodes", "node" : "b93bdb62-b0e4-4141-a03b-dac803da73a7", "classes" : { "concentrator" : "", "base" : "", "appliance" : "", "logcollector" : "", "logdecoder" : "" }, "currentVersion" : { "version" : { "major" : 10, "minor" : 6, "servicePack" : 3 }, "patch" : 0 }, "parameters" : { "version" : "10.6.3", "patch" : 0 }, "lastModified" : ISODate("2017-05-11T04:34:12.147Z") }

 

Attachments

    Outcomes