on Oct 13, 2014Does anyone have the procedure on how to change the default IM database password on the ESA appliance in Security Analytics 10.4?
Does anyone have the procedure on how to change the default IM database password on the ESA appliance in Security Analytics 10.4?
Sean, kindly suggest when you get any kind of information from support regarding the same.
Good luck!!!
The specified item was not found. According to support they are in the process of making procedures to change the password.
@deepanshu It looks like the user does not exist in the /etc/passwd but does exist on the database itself. I just tried setting it up and I was able to get incidents back without any issues. If you need the default password send me a message on linkedin.
I have an active support ticket opened as well.
I'll keep everyone posted if I hear from development who are currently working on this.
Hi,
If never mind, will you please share any screenshot for the reference, so I can check the same that for which IM database user are you talking about?
Because as Sean suggested, there is no user of which I heard any time.
Here is the procedure to change your IM/ESA mongo admin and database user accounts:
1. Log in your ESA appliance and run the following commands:
# mongo admin -u admin -p netwitness
>db.changeUserPassword('admin','newpassword')
>exit
# mongo admin -u admin -p password --authenticationDatabase admin
> use im
>db.changeUserPassword('im','newpassword')
>use esa
>db.changeUserPassword('esa','newpassword')
exit
This process also works for the ds database as well.
2. Login into the SA UI and change the password in the following locations in the Admin->Services section:
Event Stream Analysis->Explore->Alerts->Storage->configuration
Incident Management->Explore->Service->Configuration->database
Reporting Engine->Config->Warehouse Analytics Output Configuration
You may or may not want to reboot/restart the services to make sure everything is reconnecting properly.
On esa server:
service rsa-esa restart
On IM server:
service rsa-im restart
Oh thanks Spyhunter for your efforts.
Hope this will work if I tries.
And also one more thing, when I upgraded my esa from 10.3 to 10.4 i lost all my configurations and rules on esa.
So will you please share some of yours esa rules and the rules according to best practice for esa.
So that I can run those same on my environment.
Thanks in advance.
Regards,
Deepanshu Sood
Technical Consultant - Information Security
spyhunter,
thank you for your procedure, it works for me in SA 10.4.1.1 for incident management service configuration
regards!
I can't even find the user that was created nevermind change the password lol. But on a positive note I do have an open support case for this, hopefully I will get a response from them sooner than later.