Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000036106 - Incident Numbers have reset after moving the Incident Management database in RSA NetWitness Logs and Packets

Document created by RSA Customer Support

on Mar 6, 2018

Version 1Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000036106
Applies To	RSA Product Set: NetWitness Logs and Packets RSA Product/Service Type: Core Appliance RSA Version/Condition: 10.X.X.X Platform: CentOS O/S Version: 6
Issue	If the Incident manager isn't set up properly then the IM Database will automatically generate on the Netwitness UI Server, this isn't a supported configuration. When this happens we will have to move the database from the Netwitness UI Server to the ESA Server.When the IM Database is moved we will also have to move the incident increment otherwise the numbers for the Incident IDs will start from 1 overwriting the previous incidents.The steps to move the database can be found in the following article https://community.rsa.com/docs/DOC-45376.
Tasks	Change the IM Database number to the current Incident ID in IM Database that was just moved to the ESA Server. Case Scenario We have moved the Mongo IM Database from the Netwitness UI Server to the ESA server.The Incident ID's are starting from the beginning(INC-1) when there are already incidents created. For example, if you have 1-70 incidents in your database the next Incident ID should be 71 but when the IM Database is moved the Incident ID needs to be updated so that it starts at 71 and not 1, which will happen if the number isn't updated. The following steps are the steps to update the table in the database so that the incidents start at 71.
Resolution	If you move the IM Database to the ESA server you will need to provide credentials as shown below.(You don't need to do this if you are on the Netwitness UI Server) mongo im -u im -p im To view all of the collections we will run show collections We will then have to look at the collections there should be one titled tracking_id_sequence we will need to update it the command below will show the contents of the collection db.tracking_id_sequence.find() This is what is displayed { "_class" : "com.mongodb.BasicDBObject", "_id" : "incident", "lastId" : NumberLong(1) } The value 1 as shown in the following entry for our example. To update this so that it starts at where the last incidents started we need to update the value to 70. When an incident is created it will increment this number to give the incident id a value of 71.The command below updates the value in the table db.tracking_id_sequence.update ({ _id : "incident" }, {$set :{ lastId : NumberLong(70)}}) To verify that the value updated correctly run the command below db.tracking_id_sequence.find() The value should be correctly updated if not start from the top of the article

Attachments

Outcomes

0 Comments

Recommended Content