Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000036106 - Incident Numbers have reset after moving the Incident Management database in RSA NetWitness Logs and Network

Document created by RSA Customer Support

on Mar 6, 2018•Last modified by RSA Customer Support

on Apr 10, 2019

Version 3Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000036106
Applies To	RSA Product Set: NetWitness Logs and Network RSA Product/Service Type: Core Appliance RSA Version/Condition: 10.X.X.X Platform: CentOS O/S Version: 6
Issue	If the Incident Manager isn't set up properly, then the IM Database may automatically generate incidents on the Netwitness UI Server, which is not a supported configuration. When this happens, it is necessary to move the database from the Netwitness UI Server to the ESA Server. When the IM Database is moved from the UI, it is also necessary to move the 'incident increment.' Otherwise, the numbers for the Incident IDs will start overwriting the previous incident ID's (i.e, INC-1...INC4). The steps to move the database can be found in the following article: https://community.rsa.com/docs/DOC-45376 .
Tasks	Case Scenario We have moved the Mongo IM Database from the Netwitness UI Server to the ESA server. The Incident ID's are starting from (INC-1...INC-4) when there are already incidents created using that ID. The next Incident ID should be 71. What is needed to fix this issue? Change the IM Database number to the current Incident ID in IM Database that was just moved to the ESA Server.
Resolution	If you move the IM Database to the ESA server you will need to provide credentials as shown below. (You don't need to do this if you are on the Netwitness UI Server) mongo im -u im -p im To view all of the collections execute the following command: show collections Next, look at the collections...there should be one database titled, "db.tracking_id_sequence." Use the 'find' parameter below to show the contents of the collection: db.tracking_id_sequence.find() This output may be displayed from the previous command...db.tracking_id_sequence.find(). The value '1' is shown in the following entry as an example (your results may differ). { "_class" : "com.mongodb.BasicDBObject", "_id" : "incident", "lastId" : NumberLong(1) } In this example, to update the value so that it enumerates correctly, starting with the last incident, we need to update the value to 70. Your specific incident number will vary. db.tracking_id_sequence.update ({ _id : "incident" }, {$set :{ lastId : NumberLong(70)}}) To verify that the value updated correctly run the command below db.tracking_id_sequence.find() The value should be correctly updated if not please retrace your steps.

Attachments

Outcomes

0 Comments

Recommended Content