000035664 - How to access data on the on-board hard drives after a failed migration to RSA NetWitness Suite 11.0

Document created by RSA Customer Support Employee on Oct 25, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035664
Applies ToRSA Product Set: NetWitness Logs & Packets
RSA Product/Service Type: Appliance
RSA Version/Condition: 11.0
Platform: CentOS
IssueA user needs to access data on the on-board hard drives of an RSA NetWitness appliance for a physical device where a migration to version 11.0 failed before the OS was installed but after the LV (logical volume) changes took place using the 11.0 image.
ResolutionFollow the steps below to access the on-board hard drives for any physical devices.
  1. Boot the Rescue kernel from the troubleshooting menu on the 11.0 image.
     
    User-added image
     
  2. Select Option #3: Skip to shell
     
    User-added image
     
  3. Execute the commands below.

    modprobe dm-mod
    vgchange -ay

     
  4. Verify that all logical volumes are now active using the command below.

    lvscan

    User-added image
     
  5. Mount all of the logical volumes that are not external storage by executing the command below with the ... and mountX being equal to the total number of logical volumes that are available.

    mkdir -p /mnt/mount1 /mnt/mount2 ... /mnt/mountX

    User-added image
     
  6. Mount the logical volumes by executing the command below, modifying the XX-XXX as needed to fit the use case.

    mount -o ro /dev/VolGroupXX-XXX /mnt/mount1

    User-added image
At this point all files are accessible and can be moved to alternative storage locations.
When finished, manually unmount the logical volumes that were manually mounted  before rebooting the device.

Attachments

    Outcomes