NetWitness Community

RSAAdmin · ‎2014-12-05

Hi guys,

I had a disk problem and installed security analytics from start but how can i re-bind existing decoder, concentrator etc. to my new sa server? I have searched but couldn't find anything. Thanks.

RSAAdmin · ‎2014-12-05

Well I have found the script that asks for sa server IP after fresh install of an appliance. It is /etc/netwitness/saApplPuppetInit.py. I will give it a try. Let's see...

RSAAdmin · ‎2014-12-05

Well, it did not work. If you guys have any idea how we do that, please share them with me.

Anonymous · ‎2015-01-12

There are few things we need to check on the decoder (or any device you want to add a newly installed SA ).

Open /etc/puppet/puppet.conf file and check the server name , it should be like :

[main]

rundir = /var/run/puppet

certname = b47d887b-5149-4348-b013-d147cc56db08

logdir = /var/log/puppet

ssldir = $vardir/ssl

[agent]

localconfig = $vardir/localconfig

classfile = $vardir/classes.txt

server = puppetmaster.local

Then ping the value in front of server . By default it is set to puppetmaster.local . You should be able to see your decoder resolves the name to your SA IP address.

[root@Decoder ~]# ping puppetmaster.local

PING puppetmaster.local (192.168.2.101) 56(84) bytes of data.

64 bytes from puppetmaster.local (192.168.2.101): icmp_seq=1 ttl=63 time=0.915 ms

^C

--- puppetmaster.local ping statistics ---

1 packets transmitted, 1 received, 0% packet loss, time 796ms

rtt min/avg/max/mdev = 0.915/0.915/0.915/0.000 ms

Where 192.168.2.1 is the IP address of my SA server. if this setting is not correct , please check /etc/hosts file and make sure that you have a line like :

192.168.2.101 puppetmaster.local

then check the ping command again and make sure that Decoder is able to resolve SA ip address when you ping puppetmaster.local.

Then we need to set puppet on Decoder to send a new certificate signing request to SA server, Therefore :

First make sure that Decoder has not been added to the SA by going to SA UI -> Administration -> Appliances.

On Decoder :

1. record the node_id on the appliance : cat /var/lib/puppet/node_id

2. stop puppet & rabbitmq on the appliance (Decoder) by entering "service rabbitmq-server stop && service puppet stop"

3. cp -r /var/lib/puppet/ssl/ /tmp/sslbackup

4. rm -rf /var/lib/puppet/ssl/*

5. start puppet & rabbitmq on the appliance (Decoder) by entering "service rabbitmq-server start && service puppet start"

On SA Appliance:

1- check to see if signing request has been received by SA Server (puppet master service) by entering "puppet cert list"

[root@SA-Server ~]# puppet cert list

+ "1832d3c0-fab6-4abb-a706-e3f80fc9e98b" (SHA256) 4F:22:D3:A8:7C:BE:C8:DF:F5:FC:01:C1:CB:D6:A1:A6:EA:08:DF:24:EC:91:2C:67:1F:D5:4E:3F:F5:0E:E4:AF

Where "1832d3c0-fab6-4abb-a706-e3f80fc9e98b" NodeID you checked on Decoder in step 1.

2- Open SA UI -> Administration -> Appliances and press "Discover" on top of the device list.

SA should now show the Decoder.

Anonymous · ‎2015-01-14

Hello Mehdi,

Thanks for your post.

This is really helpful. In my lab scenario I am not able to add the newly deployed Log decoder into my RSA SA, and also after the discovery it was also not coming.

On the RSA SA Appliance, I am not able to see the node_id of log decoder, concentrator and esa, so when I run the "pupper cert list" on the sa server then I am not able to see the node_id of the log dec, con and esa.

But I am able to ping the sa server by puppetmaster.local on all the appliances.

[root@RSALD /]# ping puppetmaster.local

PING puppetmaster.local (192.168.1.100) 56(84) bytes of data.

64 bytes from puppetmaster.local (192.168.1.100): icmp_seq=1 ttl=64 time=0.286 ms

64 bytes from puppetmaster.local (192.168.1.100): icmp_seq=2 ttl=64 time=0.391 ms

64 bytes from puppetmaster.local (192.168.1.100): icmp_seq=3 ttl=64 time=0.445 ms

64 bytes from puppetmaster.local (192.168.1.100): icmp_seq=4 ttl=64 time=0.275 ms

64 bytes from puppetmaster.local (192.168.1.100): icmp_seq=5 ttl=64 time=2.02 ms

64 bytes from puppetmaster.local (192.168.1.100): icmp_seq=6 ttl=64 time=15.3 ms

RSA SA Server IP Address : 192.168.1.100

Kindly suggest and help regarding the same. Thanks.

Regards,

Deepanshu Sood.

Anonymous · ‎2015-01-14

Hello Deepanshu ,

Command "puppet cert list" only lists the new certificate request. If you want to see all signed certificate , please use "puppet cert list -a" .

note: If you are re-adding a device to the same SA server , then you need to remove the old certificate from SA server. So if you want to re-add (re-Discover the node) you need to do all the steps I have mentioned in my previous comment and the following commands on the SA appliance (puppetmaster).

Before anything go to SA UI -> administration -> appliances and remove the appliance you want to re-discover. follow the steps in my previous comment till starting up the puppet service , then go to SA and find the old certificate :

puppet cert list -a

then remove the old certificate from SA server by :

puppet cert clean NodeID

Then go back to the Decoder and start the puppet service. Now you should be able to see the new certificate and it means SA should be able to discover it.

Warm Regards,

Mehdi

Anonymous · ‎2015-01-14

Thanks Mehdi.

Will keep you updated if face any challenge.

Regards,

Deepanshu Sood.

NetWitness Community

A new Security Analytics