A new Security Analytics
I had a disk problem and installed security analytics from start but how can i re-bind existing decoder, concentrator etc. to my new sa server? I have searched but couldn't find anything. Thanks.
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
There are few things we need to check on the decoder (or any device you want to add a newly installed SA ).
Open /etc/puppet/puppet.conf file and check the server name , it should be like :
rundir = /var/run/puppet
certname = b47d887b-5149-4348-b013-d147cc56db08
logdir = /var/log/puppet
ssldir = $vardir/ssl
localconfig = $vardir/localconfig
classfile = $vardir/classes.txt
server = puppetmaster.local
Then ping the value in front of server . By default it is set to puppetmaster.local . You should be able to see your decoder resolves the name to your SA IP address.
[root@Decoder ~]# ping puppetmaster.local
PING puppetmaster.local (192.168.2.101) 56(84) bytes of data.
64 bytes from puppetmaster.local (192.168.2.101): icmp_seq=1 ttl=63 time=0.915 ms
--- puppetmaster.local ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 796ms
rtt min/avg/max/mdev = 0.915/0.915/0.915/0.000 ms
Where 192.168.2.1 is the IP address of my SA server. if this setting is not correct , please check /etc/hosts file and make sure that you have a line like :
then check the ping command again and make sure that Decoder is able to resolve SA ip address when you ping puppetmaster.local.
Then we need to set puppet on Decoder to send a new certificate signing request to SA server, Therefore :
First make sure that Decoder has not been added to the SA by going to SA UI -> Administration -> Appliances.
On Decoder :
1. record the node_id on the appliance : cat /var/lib/puppet/node_id
2. stop puppet & rabbitmq on the appliance (Decoder) by entering "service rabbitmq-server stop && service puppet stop"
3. cp -r /var/lib/puppet/ssl/ /tmp/sslbackup
4. rm -rf /var/lib/puppet/ssl/*
5. start puppet & rabbitmq on the appliance (Decoder) by entering "service rabbitmq-server start && service puppet start"
On SA Appliance:
1- check to see if signing request has been received by SA Server (puppet master service) by entering "puppet cert list"
[root@SA-Server ~]# puppet cert list
+ "1832d3c0-fab6-4abb-a706-e3f80fc9e98b" (SHA256) 4F:22:D3:A8:7C:BE:C8:DF:F5:FC:01:C1:CB:D6:A1:A6:EA:08:DF:24:EC:91:2C:67:1F:D5:4E:3F:F5:0E:E4:AF
Where "1832d3c0-fab6-4abb-a706-e3f80fc9e98b" NodeID you checked on Decoder in step 1.
2- Open SA UI -> Administration -> Appliances and press "Discover" on top of the device list.
SA should now show the Decoder.
Thanks for your post.
This is really helpful. In my lab scenario I am not able to add the newly deployed Log decoder into my RSA SA, and also after the discovery it was also not coming.
On the RSA SA Appliance, I am not able to see the node_id of log decoder, concentrator and esa, so when I run the "pupper cert list" on the sa server then I am not able to see the node_id of the log dec, con and esa.
But I am able to ping the sa server by puppetmaster.local on all the appliances.
[root@RSALD /]# ping puppetmaster.local
PING puppetmaster.local (192.168.1.100) 56(84) bytes of data.
64 bytes from puppetmaster.local (192.168.1.100): icmp_seq=1 ttl=64 time=0.286 ms
64 bytes from puppetmaster.local (192.168.1.100): icmp_seq=2 ttl=64 time=0.391 ms
64 bytes from puppetmaster.local (192.168.1.100): icmp_seq=3 ttl=64 time=0.445 ms
64 bytes from puppetmaster.local (192.168.1.100): icmp_seq=4 ttl=64 time=0.275 ms
64 bytes from puppetmaster.local (192.168.1.100): icmp_seq=5 ttl=64 time=2.02 ms
64 bytes from puppetmaster.local (192.168.1.100): icmp_seq=6 ttl=64 time=15.3 ms
RSA SA Server IP Address : 192.168.1.100
Kindly suggest and help regarding the same. Thanks.
Hello Deepanshu ,
Command "puppet cert list" only lists the new certificate request. If you want to see all signed certificate , please use "puppet cert list -a" .
note: If you are re-adding a device to the same SA server , then you need to remove the old certificate from SA server. So if you want to re-add (re-Discover the node) you need to do all the steps I have mentioned in my previous comment and the following commands on the SA appliance (puppetmaster).
Before anything go to SA UI -> administration -> appliances and remove the appliance you want to re-discover. follow the steps in my previous comment till starting up the puppet service , then go to SA and find the old certificate :
puppet cert list -a
then remove the old certificate from SA server by :
puppet cert clean NodeID
Then go back to the Decoder and start the puppet service. Now you should be able to see the new certificate and it means SA should be able to discover it.