RSA Admin

Fixing a Corrupted Event Source - How To

Discussion created by RSA Admin Employee on Dec 16, 2009

PERFORM THIS PROCESS AT YOUR OWN RISK! 

IT WORKED IN MY ENVIRONMENT, IT MAY NOT WORK IN YOURS!

 

That said, the following a guild to fixing a corrupted event source.  I recommend that you have RSA Support available when you perform this process and as always...MAKE A BACKUP!  This is a good process to have if you receive a corrupted event source during event source update cycle.  You'll know when you have a corrupted event source if the messages are not parsed right, no data appears in Ad Hoc reports for a time period that you previously had data in, etc.

 

=================================================================================

 

How to restore a corrupted Event Source

 

1.      Make BACKUP of the following folder:  E:\nic\4000\<sitename>-AS1\etc\devices

2.      Determine the Event Source you want to restore.

3.      On the A-SRV STOP the NIC Service Manager (do the A-SRV first).  On the A-SRV ensure that that NIC Web Server and the NIC Alerter service are both stopped as well.

4.      On the D-SRV STOP the NIC Service Manager.  Wait for all the services to stop before proceeding.

5.      Open Windows Explorer, navigate to E:\nic\backup.  Sort by “Date Modified”.  The bottom folders should contain the latest backups of your event sources.  They correspond to the filename of the Event Source Update from RSA.  The folders are named by date, for example, 20091208-xxxxxx. 

6.      Choose the folder previous to your last update.  In the example I am using, I chose the Event Source before that last backup.  Rather than choosing 20091208-xxxxxx, I chose 20091125-xxxxxx.  I did this because I know that was a good event source.

7.      Navigate inside the folder 20091125-xxxxxx to the folder with the device type you’re interested in restoring.  These folders will have names like:  checkpointfw1_20091121-xxxxxx, winevent_nic_200911114-xxxxxx, mssql_20091118-xxxxxx, etc.

8.      Once inside that folder, navigate to etc\devices\<device type>.  The <device type> folder is what you want.  Leave this window open.  In this example, we’ll use “checkpointfw1” as the Event Source that we want to restore.

9.      Open a new Windows Explorer window and navigate to:  E:\nic\4000\<sitename>-AS1\etc\devices.  (you have a backup of this entire folder right?).  Find the Event Source folder you’re interested in restoring.  Right-click the folder in this directory and rename to something.  I append “.old” to the folder name.  So…the folder name, in this example, would now read “checkpointfw1.old”.

10.  Go back to the other Windows Explorer window, the one with the true Event Source backup we’re going to restore.  Right-click on the <device type> folder – in this example, “checkpointfw1” – and COPY it to the E:\nic\4000\<sitename>-AS1\etc\devices folder.

11.  The E:\nic\4000\<sitename>-AS1\etc\devices folder should now have two similar folders:

a.      checkpointfw1.old

b.     checkpointfw1

12.  If it does not…restore your backup and start again!  From step 1.

13.  If it does, congratulations!  You’ve restored your old Event Source.

14.  Restart the NIC Services manager on the D-SRV – make sure all services have come up and are in a started state.  Alternatively, reboot the appliance.

15.  Once the D-SRV’s services have full started, go to the A-SRV.  Start the NIC Service Manager and ensure the NIC Web Server service and the NIC Alerter service are both started as well.

16.  Done!

 

Outcomes