This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

RSA NetWitness® Platform Discussions

Discussions about the RSA NetWitness Platform.
RomanZeltser
Beginner
Beginner
‎2017-05-12 09:00 AM

enVision confusion

I have been told that enVision is outdated product, and there is no path to upgrade it. We have it disabled. If this is a case, why do we need IPDB active if enVision is not needed anymore?IPDB works together with enVision by taking the data from it and helping to create the reporting.

 

If I am correct about enVision, what should be done to disable IPDB and Health and Wellness alert messages (I can't delete it from there)?

0 Likes
Reply
14 Replies
NaushadKasu1
New Contributor New Contributor
New Contributor
‎2017-05-12 10:02 AM

The reason nwipdbextractor exists is because although enVision is end-of-life, it will have a lot of data for customers that they need to retain for compliance reasons (3 years, 5 years etc..).  So, until that time passes, it may be required for that data to be not only stored but also queried where the nwipdbextractor comes in.

 

If you want to get rid of the binary on the system, see below.  If you want to not see those alarms, you can go into H&W and disable that alarm under the Hosts section of H&W Policies.

 

You can also disable nwipdbextractor using the following steps but after upgrade, the changes will be overwritten and steps below will have to be re-applied:

 

·        stop nwipdbextractor  (this takes several minutes to complete.)
·        yum erase nwipdbextractor
·        rm -f /etc/collectd.d/NwIPDBExtractor.conf
·        service collectd restart

Reply
RomanZeltser
Beginner
Beginner
In response to NaushadKasu1
‎2017-05-12 10:07 AM

Thank you very much. Since we have no data for compliance reason (I had to rebuild the system over after the disaster recovery), it makes sense to remove IPDB. Your instruction on how to do it is appreciated, too.

 

===============

Roman Zeltser, CISSP

Sr. IM Security Analyst

CDR Associates

 

307 International Circle

Suite 300

Hunt Valley, MD 21030

P: 410-560-2269 x.1261

rzeltser@cdrassociates.com<mailto:rzeltser@cdrassociates.com>

Preview file
2 KB
0 Likes
Reply
ThomasFedorchuk
Occasional Contributor Occasional Contributor
Occasional Contributor
‎2017-05-12 11:06 AM

Also, along with the comments from Naushad above you should remove the ipdbextractor service from the "mongo puppet" database. This KB article explains the process. 

https://community.rsa.com/docs/DOC-46084

0 Likes
Reply
RomanZeltser
Beginner
Beginner
In response to ThomasFedorchuk
‎2017-05-12 11:39 AM

It is helpful. Thanks.

I have executed what you have suggested. So far, the server reports the missed malware-analysis-solo class...

0 Likes
Reply
RomanZeltser
Beginner
Beginner
In response to ThomasFedorchuk
‎2017-05-12 11:43 AM

The IPDB Alert is still visible in the Health & Wellness:

pastedImage_1.png

0 Likes
Reply
RomanZeltser
Beginner
Beginner
In response to ThomasFedorchuk
‎2017-05-12 11:49 AM

Thomas,

I see the following messages in the monitored log:

pastedImage_1.png

 

what does it mean?

0 Likes
Reply
NaushadKasu1
New Contributor New Contributor
New Contributor
In response to RomanZeltser
‎2017-05-12 11:52 AM

Go to Admin -> Health & Wellness -> Policies -> IPDB Extractor (policy in the left panel) and disable the alerting.

0 Likes
Reply
NaushadKasu1
New Contributor New Contributor
New Contributor
In response to RomanZeltser
‎2017-05-12 11:52 AM

This is a bug in extra audit logging that will be fixed in 10.6.3.1 or 10.6.4.0 (I forgot which build but expected to be fixed in future).  Safe to ignore for now.

0 Likes
Reply
ThomasFedorchuk
Occasional Contributor Occasional Contributor
Occasional Contributor
In response to RomanZeltser
‎2017-05-12 11:54 AM

It looks like you cut/pasted the command into your ssh window and the dash in between "reporting" and "engine" got dropped... you'll need to re-do the command but  make sure all the character from the article are in the command..

 

/etc/puppet/scripts/addService.py db51aab5-5071-480f-93af-6bfb32e24816 reporting-engine,saserver,appliance,incident-management,malware-analysis-colo,broker

0 Likes
Reply
© 2021 RSA Security LLC or its affiliates.
All rights reserved.