I have been told that enVision is outdated product, and there is no path to upgrade it. We have it disabled. If this is a case, why do we need IPDB active if enVision is not needed anymore?IPDB works together with enVision by taking the data from it and helping to create the reporting.
If I am correct about enVision, what should be done to disable IPDB and Health and Wellness alert messages (I can't delete it from there)?
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
The reason nwipdbextractor exists is because although enVision is end-of-life, it will have a lot of data for customers that they need to retain for compliance reasons (3 years, 5 years etc..). So, until that time passes, it may be required for that data to be not only stored but also queried where the nwipdbextractor comes in.
If you want to get rid of the binary on the system, see below. If you want to not see those alarms, you can go into H&W and disable that alarm under the Hosts section of H&W Policies.
You can also disable nwipdbextractor using the following steps but after upgrade, the changes will be overwritten and steps below will have to be re-applied:
· stop nwipdbextractor (this takes several minutes to complete.)
· yum erase nwipdbextractor
· rm -f /etc/collectd.d/NwIPDBExtractor.conf
· service collectd restart
Thank you very much. Since we have no data for compliance reason (I had to rebuild the system over after the disaster recovery), it makes sense to remove IPDB. Your instruction on how to do it is appreciated, too.
Roman Zeltser, CISSP
Sr. IM Security Analyst
307 International Circle
Hunt Valley, MD 21030
P: 410-560-2269 x.1261
Also, along with the comments from Naushad above you should remove the ipdbextractor service from the "mongo puppet" database. This KB article explains the process.
This is a bug in extra audit logging that will be fixed in 10.6.3.1 or 10.6.4.0 (I forgot which build but expected to be fixed in future). Safe to ignore for now.
It looks like you cut/pasted the command into your ssh window and the dash in between "reporting" and "engine" got dropped... you'll need to re-do the command but make sure all the character from the article are in the command..
/etc/puppet/scripts/addService.py db51aab5-5071-480f-93af-6bfb32e24816 reporting-engine,saserver,appliance,incident-management,malware-analysis-colo,broker