Error when trying to add Incident Management as a data-source to Context Hub in RSA NetWitness Logs and Packets
RSA Product Set: Security Analytics, NetWitness Logs and Packets RSA Product/Service Type: Security Analytics Server, Context Hub, Incident Management RSA Version/Condition: 10.6.x.x and later versions Platform: CentOS
When trying to add IM as a data-source to the Context Hub, an error like the following is received:
"Error: A service already exists on port 27017"
The issue can occur if IM was added as a datasource in earlier versions of SA with incomplete information (i.e. IM Password not typed) and no longer shows up on the Data Sources tab but still exists in the Context Hub catalogConfiguration.cfg file.
SSH into the ESA appliance and perform the following steps to reset the Context Hub configuration:
1. Stop the rsa-context service:
service rsa-context stop
2. Rename catalogConfiguration.cfg
mv catalogConfiguration.cfg catalogConfiguration.cfg.bkp
3. Start the rsa-context service:
service rsa-context start
4. Make sure you are able to login to context-hub mongo database as follows: