000036106 - Incident Numbers have reset after moving the Incident Management database in RSA NetWitness Logs and Network

Document created by RSA Customer Support Employee on Mar 6, 2018Last modified by RSA Customer Support Employee on Apr 10, 2019
Version 3Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000036106
Applies ToRSA Product Set: NetWitness Logs and Network
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 10.X.X.X
Platform: CentOS
O/S Version: 6
 
IssueIf the Incident Manager isn't set up properly, then the IM Database may automatically generate incidents on the Netwitness UI Server, which is not a supported configuration. When this happens, it is necessary to move the database from the Netwitness UI Server to the ESA Server. When the IM Database is moved from the UI, it is also necessary to move the 'incident increment.' Otherwise, the numbers for the Incident IDs will start overwriting the previous incident ID's (i.e, INC-1...INC4). The steps to move the database can be found in the following article: https://community.rsa.com/docs/DOC-45376
TasksCase Scenario
We have moved the Mongo IM Database from the Netwitness UI Server to the ESA server. The Incident ID's are starting from (INC-1...INC-4) when there are already incidents created using that ID. The next Incident ID should be 71. What is needed to fix this issue?
  • Change the IM Database number to the current Incident ID in IM Database that was just moved to the ESA Server.
Resolution
  • If you move the IM Database to the ESA server you will need to provide credentials as shown below. (You don't need to do this if you are on the Netwitness UI Server)


mongo im -u im -p im


  • To view all of the collections execute the following command:


show collections


  • Next, look at the collections...there should be one database titled, "db.tracking_id_sequence." Use the 'find' parameter below to show the contents of the collection:


db.tracking_id_sequence.find()


  • This output may be displayed from the previous command...db.tracking_id_sequence.find(). The value '1' is shown in the following entry as an example (your results may differ).


{ "_class" : "com.mongodb.BasicDBObject", "_id" : "incident", "lastId" : NumberLong(1) }

In this example, to update the value so that it enumerates correctly, starting with the last incident, we need to update the value to 70. Your specific incident number will vary. 


db.tracking_id_sequence.update ({ _id : "incident" }, {$set :{ lastId : NumberLong(70)}})


  • To verify that the value updated correctly run the command below


db.tracking_id_sequence.find()


  • The value should be correctly updated if not please retrace your steps.

Mongo Commands


 

Attachments

    Outcomes