This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
  • RSA.com
  • Products
    • Archer®
      • Archer®
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Knowledge Base
      • Archer® Exchange
      • Training
      • Upcoming Events
      • Videos
    • RSA® Fraud & Risk Intelligence Suite
      • RSA® Fraud & Risk Intelligence Suite
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Web Threat Detection
      • Upcoming Events
      • Videos
    • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Cloud
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Events
      • Ideas
      • Knowledge Base
      • Training
      • Upcoming Patch Content
      • Videos
    • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication Mobile SDK
      • Advisories
      • Events
      • Ideas
      • Knowledge Base
      • Request Access
      • Training
    • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Events
      • Ideas
      • Knowledge Base
      • Training
      • Videos
    • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Events
      • Ideas
      • Knowledge Base
      • Training
      • Videos
    • RSA® Adaptive Authentication for eCommerce
      • RSA® Adaptive Authentication for eCommerce
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Ideas
      • Knowledge Base
      • Training
      • Videos
    • RSA® FraudAction Services
      • RSA® FraudAction Services
      • Advisories
      • Discussions
      • Documentation
      • Ideas
      • Videos
    • RSA® Web Threat Detection
      • RSA® Web Threat Detection
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Knowledge Base
      • Videos
    • RSA NetWitness® Platform
      • RSA NetWitness® Platform
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Integrations
      • Knowledge Base
      • Training
      • Upcoming Events
      • Videos
    • RSA NetWitness® Detect AI
      • RSA NetWitness® Detect AI
      • Documentation
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
    • RSA NetWitness® Investigator
      • RSA NetWitness® Investigator
      • Documentation
      • Download the Client
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
    • RSA NetWitness® Orchestrator
      • RSA NetWitness® Orchestrator
      • Overview
      • Documentation
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
    • RSA SecurID® Suite
      • RSA SecurID® Suite
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Knowledge Base
      • Ideas
      • Integrations
      • Training
      • Videos
    • RSA® Identity Governance & Lifecycle
      • RSA® Identity Governance & Lifecycle
      • Advisories
      • Blog
      • Community Exchange
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Knowledge Base
      • Training
      • Upcoming Events
      • Videos
    • RSA SecurID® Access
      • RSA SecurID® Access
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Integrations
      • Knowledge Base
      • Training
      • Upcoming Events
      • Videos
    • Other RSA® Products
      • Other RSA® Products
      • RSA® Access Manager
      • RSA® Data Loss Prevention
      • RSA® Digital Certificate Solutions
      • RSA enVision®
      • RSA® Federated Identity Manager
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
  • Resources
    • Advisories
      • Product Advisories on RSA Link
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Hosted
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Product Advisories
    • Blogs
      • Blogs on RSA Link
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Blogs on RSA Link
    • Discussion Forums
      • Discussion Forums
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Discussion Forums on RSA Link
    • Documentation
      • Product Documentation
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Documentation on RSA Link
    • Downloads
      • Product Downloads
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Downloads on RSA Link
    • Ideas
      • Idea Exchange
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Documentation on RSA Link
    • Knowledge Base
      • Knowledge Base
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Knowledge Base Pages on RSA Link
    • Upcoming Events on RSA Link
      • Upcoming Events
    • Videos
      • Videos on RSA Link
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Videos on RSA Link
  • Support
    • RSA Link Support
      • RSA Link Support
      • News & Announcements
      • Getting Started
      • Support Forum
      • Support Knowledge Base
      • Ideas & Suggestions
    • RSA Product Support
      • RSA Product Support
      • General Security Advisories and Statements
      • Product Life Cycle
      • Support Information
      •  
      •  
      •  
      •  
      •  
  • RSA Ready
  • RSA University
    • Certification Program
      • Certification Program
    • Course Catalogs
      • Course Catalogs
      • Archer®
      • RSA NetWitness® Platform
      • RSA SecurID® Suite
    • On-Demand Subscriptions
      • On-Demand Subscriptions
      • Archer®
      • RSA NetWitness® Platform
      • RSA SecurID® Suite
    • Product Training
      • Product Training
      • Archer®
      • RSA® Fraud & Risk Intelligence Suite
      • RSA® Identity Governance & Lifecycle
      • RSA NeWitness® Platform
      • RSA SecurID® Access
    • Student Resources
      • Student Resources
      • Access On-Demand Learning
      • Access Virtual Labs
      • Contact RSA University
      • Enrollments & Transcripts
      • Frequently Asked Questions
      • Getting Started
      • Learning Modalities
      • Payments & Cancellations
      • Private Training
      • Training Center Locations
      • Training Credits
      • YouTube Channel
    • Upcoming Events
      • Upcoming Events
      • Full Calendar
      • Conferences
      • Live Classroom Training
      • Live Virtual Classroom Training
      • Webinars
Sign In Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

Visit the Known Issues dashboard if you are experiencing issues on RSA Link

View Dashboard

RSA NetWitness® Platform Discussions

Discussions about the RSA NetWitness Platform.
  • RSA Link
  • :
  • Products
  • :
  • RSA NetWitness Platform
  • :
  • Discussions
  • :
  • Checking for aggregation status via cmd line
  • Options
    • Subscribe to RSS Feed
    • Mark Topic as New
    • Mark Topic as Read
    • Float this Topic for Current User
    • Bookmark
    • Subscribe
    • Mute
    • Printer Friendly Page
SeanKoniarz
SeanKoniarz Beginner
Beginner
‎2014-08-28 02:33 PM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Checking for aggregation status via cmd line

Is it possible?  I am looking to integrate this into my restart script so I can ensure aggregation is stopped prior to restarting the concentrator or decoder. 

 

 

Thanks!

  • Tags:
  • Community Thread
  • Discussion
  • Forum Thread
  • NetWitness
  • NW
  • NWP
  • RSA NetWitness
  • RSA NetWitness Platform
  • sa
  • scripts
0 Likes
Share
Reply
  • All forum topics
  • Previous Topic
  • Next Topic
9 Replies
RSAAdmin
RSAAdmin Beginner
Beginner
‎2014-08-28 06:08 PM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Related question for actual RSA personnel:

 

If you stop the service cleanly at the OS level using normal start/stop mechanisms, does it quiesce and shut down aggregation cleanly in the process, or just slam the door and shut down regardless of aggregation state, perhaps truncating/corrupting some aggregating data in the process?

 

In other words, is there even a reason to check aggregation status, or does the app shut down cleanly when it's stopped in a controlled manner?

0 Likes
Share
Reply
LeeKirkpatrick
Frequent Contributor LeeKirkpatrick Frequent Contributor
Frequent Contributor
‎2014-08-28 06:24 PM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Would the following suffice as a starting point?

 

[root@NWAPPLIANCE22290 ~]# NwConsole -c login localhost:50005 <user> <password> -c concentrator/devices ls depth=3 |grep -i consuming --color

 

457:0x2000000000200200 /concentrator/devices/192.168.183.123:50002/stats/status (Status) = consuming

 

 

Or if SSL is enabled:

 

[root@NWAPPLIANCE22290 ~]# NwConsole -c login localhost:50005:ssl <user> <password> -c concentrator/devices ls depth=3 |grep -i consuming --color

 

457:0x2000000000200200 /concentrator/devices/192.168.183.123:50002/stats/status (Status) = consuming

2 Likes
Share
Reply
SeanKoniarz
SeanKoniarz Beginner
Beginner
In response to RSAAdmin
‎2014-08-29 06:30 AM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

I have been told by multiple RSA and RSA Resellers that just doing a hard reset via restart nwconcentrator can harm the device potentially.  I had never seen this happen for months on end until the other day when it took almost an hour and a half to come back online because it did not get to finish the last index thread, forcing it to fix it. 

 

I have no idea if that was because of the aggregation not being stopped.

 

 

Would also love an answer for that

0 Likes
Share
Reply
SeanKoniarz
SeanKoniarz Beginner
Beginner
‎2014-08-29 08:03 AM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

For anyone who would also like to use the script I am using I have attached it.  I find that restarting the services via the web ui to actually be less successful than using the command line which is why I wanted to create this. 

You will need to set three variables in this script.  User, Password, and log location.  I personally created a very restricted user for each concentrator so it could view the command for NwConsole.  I used the permission services.manage in the web UI. 

 

I know this script can likely be refined, first bash script I have ever created that is actually more than just running a command or two. 

Preview file
3 KB
0 Likes
Share
Reply
RSAAdmin
RSAAdmin Beginner
Beginner
In response to SeanKoniarz
‎2014-08-29 11:01 AM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

My last post is being "moderated" (I suspect because of the link) so I think it's probably not showing up.

 

Pulling "concentrator/devices" reports on the consumption status of each individual subordinate device, but it's not really reporting on the aggregation status of the device you're getting ready to shut down.

 

In NW you can pull /${device}/stats/status where ${device} is broker/concentrator/decoder to get a single value that reports the status of aggregation for the device.  (I'm assuming you can do the same in SA.)

 

You can script this through NwConsole, but a REST call might be easier.  Quick and dirty could be something like:

 

curl -u "${NWUSER}:${NWPASS}" hxxps://nwbroker:50103/broker/stats/status?msg=get&force-content-type=text/plain

 

Checking this value, there's no grepping output, you just get "stopped" back and can compare against the value specifically in your script:

 

STATUS=`curl -u \"${NWUSER}:${NWPASS}\" hxxps://nwbroker:50103/broker/stats/status?msg=get&force-content-type=text/plain`

while [ "${STATUS}" != "stopped" ]; do

     sleep 5

     # twiddle thumbs

done

 

(Check the verbiage against your environment's particulars, this is from memory... maybe it says "stopping"?)

 

Also, check out case statements in bash - they'll make your comparisons a bit cleaner... you can run the same code block for multiple values:

     case $answer in

          y|Y|yes|ja|si|da) run yes code

          n|N|no|nein|nyet) run no code

     esac

1 Like
Share
Reply
SeanKoniarz
SeanKoniarz Beginner
Beginner
In response to RSAAdmin
‎2014-08-29 12:58 PM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

So when I run that without the script I get correct results and I like it.  But when I run it in the script, it pulls back extra stuff.

 

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current

                                 Dload  Upload   Total   Spent    Left  Speed

  0     9    0     9    0     0   2296      0 --:--:-- --:--:-- --:--:--  3000

started

0 Likes
Share
Reply
SeanKoniarz
SeanKoniarz Beginner
Beginner
In response to RSAAdmin
‎2014-08-29 01:12 PM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Figured it out, need to add a -s for curl to be silent. 

 

Thanks!  I like that method better for cleaner output.

0 Likes
Share
Reply
RSAAdmin
RSAAdmin Beginner
Beginner
In response to SeanKoniarz
‎2014-08-30 11:52 AM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

In earlier releases, the startup scripts for SA Core services did not specify a kill timeout, so the default timeout of 2 seconds was used by Linux.  This is typically not enough time for a Concentrator to cleanly shutdown so yes, it's possible that on restart it had to fix itself, which can take some time.

 

Since 10.3.3, the restart scripts have been rewritten to allow up to 60 seconds to shutdown each SA Core service, which should be plenty of time when "stop nwconcentrator" is issued.  Now, if you hard reboot the appliance or pull the power, this obviously does not apply and all services will have to fix their internal databases on restart.

 

On CentOS 6, the startup scripts are in /etc/init/nwconcentrator.conf (for example).  Cat the file and look for "kill timeout 60".  If you don't see that line, add it somewhere in the middle of the file.  Here's an example file:

 

start on runlevel [35] and stopped rc

stop on runlevel [!35]

respawn

respawn limit 10 300

console none

kill timeout 60

chdir /var/netwitness/concentrator/metadb

limit core unlimited unlimited

limit nofile 65536 65536

exec /usr/sbin/NwConcentrator --stopwhenready

expect stop

1 Like
Share
Reply
RSAAdmin
RSAAdmin Beginner
Beginner
In response to RSAAdmin
‎2014-09-02 09:56 AM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Regardless of version, the easiest way to safely restart Decoder, Concentrator, etc. is to just do a "killall NwConcentrator" or "killall NwDecoder".  This will invoke the SIGTERM handler on the service.  The SIGTERM handler will do a graceful shutdown, including waiting for an infinite time until the aggregation or capture is stopped.  After the process exists, upstart will automatically restart it.

 

If you use the upstart utilities, such as "initctl", "stop", "start", or "restart", then upstart imposes the kill timeout limits.  This means that upstart sends SIGTERM, then waits for up to N seconds, and then sends it SIGKILL, which forces an immediate process stop. If you use initctl-style commands to manage the process, it's a good idea to increase the kill timeout.

1 Like
Share
Reply
Powered by Khoros
  • Products
  • Resources
  • Solutions
  • RSA University
  • Support
  • RSA Labs
  • RSA Ready
  • About RSA Link
  • Terms & Conditions
  • Privacy Statement
  • Provide Feedback
© 2020 RSA Security LLC or its affiliates.
All rights reserved.