000035674 - How to manually re-add a host that has been removed from the RSA NetWitness GUI Hosts page

Document created by RSA Customer Support Employee on Oct 31, 2017Last modified by RSA Customer Support Employee on Nov 7, 2018
Version 3Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000035674
Applies ToRSA Product Set: NetWitness Logs and Network
RSA Version/Condition: 11.0, 11.1,11.2
IssueAfter removing a Host from the Host page in the UI it won't discover again.
ResolutionOn your Component Host (Packet Decoder, Concentrator, Malware Analysis, etc.), run the following command from an SSH window to retrieve the host_id.

# cat /etc/salt/minion



Sample output...
# cat /etc/salt/minion
master: 192.168.2.101
hash_type: sha256
log_level: info
id: 44f0b8ad-55cb-440f-8e42-95caa049b4a1




On the NW Admin Server, verify that the component host_id is in the list.
Run the following command from an SSH window on the NW Admin Server

# orchestration-cli-client -k



[root@nwadmin1 ~]# orchestration-cli-client -k
2018-10-11 03:34:00.387  INFO 11265 --- [           main] Bootstrap                                : Service logs will be written to /var/log/netwitness/orchestration-client
2018-10-11 03:34:00.396  INFO 11265 --- [           main] Bootstrap                                : Service configuration will be read from /etc/netwitness/orchestration-client
2018-10-11 03:34:00.630  INFO 11265 --- [           main] Bootstrap                                : Starting orchestration-client.9c202413-65a5-43f6-8eed-641d48ed078c (v0.0.0.0)
2018-10-11 03:34:01.214  INFO 11265 --- [           main] Bootstrap                                : Initialized service cryptography with 4 providers (BSAFE=CRYPTOJ 6.2.2 20161215 0745, FIPS-140=true).
2018-10-11 03:34:02.376  INFO 11265 --- [           main] c.r.n.i.o.c.OrchestrationApplication     : Starting OrchestrationApplication on nwadmin1 with PID 11265 (/usr/bin/orchestration-cli-client.jar started by root in /root)
2018-10-11 03:34:02.376  INFO 11265 --- [           main] c.r.n.i.o.c.OrchestrationApplication     : The following profiles are active: standard
2018-10-11 03:34:02.602  INFO 11265 --- [           main] Bootstrap                                : Service will accept AMQP requests at broker localhost:5672/rsa/system
2018-10-11 03:34:02.626  INFO 11265 --- [           main] Bootstrap                                : Service will use the deployment security-server
2018-10-11 03:34:04.656  INFO 11265 --- [shake Completed] Security                                 : Accepted new connection with CN=ba847be4-afca-4df4-beca-e6df7ac3a228,OU=NetWitness Platform,O=RSA,L=Reston,ST=VA,C=US from 127.0.0.1 using TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
2018-10-11 03:34:05.878  INFO 11265 --- [           main] c.r.n.i.o.c.OrchestrationApplication     : Key: ID=a3f9d06f-4f67-4721-9e74-1f127e24e4ad, STATUS=Provisioned
2018-10-11 03:34:05.880  INFO 11265 --- [           main] c.r.n.i.o.c.OrchestrationApplication     : Key: ID=992dcb26-39c2-4c29-b9c9-7f5e98f3c542, STATUS=Provisioned
2018-10-11 03:34:05.881  INFO 11265 --- [           main] c.r.n.i.o.c.OrchestrationApplication     : Key: ID=f8b8c231-3a04-482a-b4ed-5abe4a242441, STATUS=Provisioned
2018-10-11 03:34:05.881  INFO 11265 --- [           main] c.r.n.i.o.c.OrchestrationApplication     : Key: ID=d4d00352-39e1-4462-9ecd-80c028c28df1, STATUS=Provisioned
2018-10-11 03:34:05.881  INFO 11265 --- [           main] c.r.n.i.o.c.OrchestrationApplication     : Key: ID=c49396f5-9332-447f-ae72-c920cf4bd6f6, STATUS=Provisioned
2018-10-11 03:34:05.882  INFO 11265 --- [           main] c.r.n.i.o.c.OrchestrationApplication     : Key: ID=fdd0857a-e022-439d-b148-05d4cb1f503a, STATUS=Provisioned
2018-10-11 03:34:05.882  INFO 11265 --- [           main] c.r.n.i.o.c.OrchestrationApplication     : Key: ID=73482e91-7ace-44aa-85aa-bb32fe6fe61b, STATUS=Provisioned
2018-10-11 03:34:05.883  INFO 11265 --- [           main] c.r.n.i.o.c.OrchestrationApplication     : Key: ID=ba847be4-afca-4df4-beca-e6df7ac3a228, STATUS=Provisioned
2018-10-11 03:34:05.883  INFO 11265 --- [           main] c.r.n.i.o.c.OrchestrationApplication     : Key: ID=44f0b8ad-55cb-440f-8e42-95caa049b4a1, STATUS=Provisioned
2018-10-11 03:34:05.914  INFO 11265 --- [           main] SystemOperation                          : Update current versions on disk {com.rsa.asoc.compass.orchestration-api=3.3.0}
2018-10-11 03:34:05.917  INFO 11265 --- [           main] c.r.n.i.o.c.OrchestrationApplication     : Started OrchestrationApplication in 6.788 seconds (JVM running for 7.592)
2018-10-11 03:34:06.388  INFO 11265 --- [           main] c.r.n.i.o.c.OrchestrationApplication     : Tasks completed successfully...
[2018-10-11T03:34:06+00:00] <11262> (INFO) Request completed successfully.




On the NW Admin Server, delete the host_id for the client host node.


# orchestration-cli-client --remove-key 44f0b8ad-55cb-440f-8e42-95caa049b4a1


On the client Host appliance re-run the nwsetup-tui command...


# nwsetup-tui

... answer the questions
... once nwsetup-tui finishes go to the UI and discover the Host again
... once host is discovered click the "Install" button to select the node type (i.e. Packet Decoder, LogDecoder etc...)
 

Attachments

    Outcomes