Article Content
Article Number | 000035277 |
Applies To | RSA Product Set: Security Analytics, NetWitness Logs and Packets RSA Product/Service Type: Archiver, Broker, Concentrator, Event Stream Analysis, Incident Management, IPDB Extractor, Log Collector, Log Decoder, Malware Analysis, Packet Decoder, Reporting Engine RSA Version/Condition: 10.4.x, 10.5.x, 10.6.x Platform: CentOS Platform (Other): Puppet, MongoDB O/S Version: EL6 |
Tasks | This article will explain how to remove a service from a node, being the logcollector service in this example. This is very similar to the article entitled How to remove the nwipdbextractor service from an RSA Security Analytics server running version 10.4.x or later, except the service to be removed may be a different node from the RSA Security Analytics server. On the Node you are Removing the Service: 1. Either SSH or use a Console (such as iDRAC console) to connect to node you are removing the service 2. Obtain the puppet node_id To display the services listed in the mongoDB puppet database for a node: On that Node, obtain the node_id /etc/puppet/scripts/node_id.py Example Output: # /etc/puppet/scripts/node_id.py 3. Stop puppet service puppet stop 4. Stop collectd service collectd stop 5. Uninstall service Example: yum remove nwlogcollector 6. Remove the collectd recipe Example: mv /etc/collectd.d/NwLogCollector.conf /etc/collectd.d/NwLogCollector.conf.disabled 7. For services in upstart (located in /etc/init), you may need to remove conf service file if yum command did not remove. Example: mv /etc/init/nwlogcollector.conf /etc/init/nwlogcollector.conf.disabled 8. Start puppet agent in a mode which does not restart services (to avoid re-obtaining puppet recipe for service we are removing) puppet agent --noop --daemonize On the NetWitness Head Unit Server which hosts the puppet MongoDB 9. Either SSH or use a Console to connect to the NetWitness Head Unit Server 10. Display nodes' services: To display a particular nodes' services: Syntax showing only the _id, node and classes fields: > db.nodes.find({ "node":"<node_id>" },{ "classes":1, "node":1 }) Example output: # mongo puppet 11. Based on the above classes, the command would be the following (removing logcollector in this example): Syntax: /etc/puppet/scripts/addService.py <node_id> <remaining_services> Based on the above classes, the command would be the following (removing logcollector in this example): /etc/puppet/scripts/addService.py b93bdb62-b0e4-4141-a03b-dac803da73a7 concentrator,base,appliance,logdecoder Within the Security Analytics Web UI: 12. Remove service from Administration \ Services using the '-' button. On the Node you have Removed the Service: 13. On the node restart puppet (which will automatically trigger the equivalent of puppet agent -t which will also restart the collectd service) service puppet restart 14. Check if any entries need to be removed from /etc/logrotate.conf |
Notes | On the NetWitness Head Unit server, display services listed for this node in the puppet MongoDB:# mongo puppet To display all nodes: > db.nodes.find() Note: If there is more than one page of output you may see the following, entering it and pressing enter will display output one page at a time. > Type "it" for more Alternatively you can change the number of records the cursor returns (in this case 100) > DBQuery.shellBatchSize = 100 To display a particular nodes' services: Syntax: > db.nodes.find({ "node":"<node_id>" }) Example output: # mongo puppet |