NetWitness Community

DwayneFryer1 · ‎2021-01-29

RSA Community,

I have a Packet Concentrator & Decoder that I am decommissioning and I need to wipe the data. I have wiped all of the data except the logical volumes below:

lvscan
ACTIVE '/dev/netwitness_vg00/nwhome' [<202.66 GiB] inherit
ACTIVE '/dev/netwitness_vg00/root' [29.31 GiB] inherit
ACTIVE '/dev/netwitness_vg00/varlog' [10.00 GiB] inherit
ACTIVE '/dev/netwitness_vg00/usrhome' [10.00 GiB] inherit
ACTIVE '/dev/netwitness_vg00/swap' [4.00 GiB] inherit

Does anyone know how I can make these inactive so that I can remove them? Below is an example of the message that I am getting:

lvremove /dev/netwitness_vg00/nwhome
Logical volume netwitness_vg00/nwhome contains a filesystem in use.

Steps I have already done on our Concentrator to save time:

-Stopped nwappliance

-Stopped nwconcentrator, nwdecoder

-Removed mounts from /etc/fstab

-umount /var/netwitness/concentrator/metadb, sessiondb, index

-umount /var/netwitness/concentrator

-lvremove /dev/concentrator/metadb, sessiondb

-lvremove /dev/index/index

-lvremove /dev/concentrator/root

-pvremove -ff /dev/sdc

-pvremove -ff /dev/sdd

-vgremove –f <name of volume group>

-lvremove /dev/<name of volume group>

Thanks.

ThomasFedorchuk · ‎2021-01-29

You will want to make sure that you are not in the directory that the volume group points to when you run the lvremove command... so change directory to /root first.

Also another command that may be helpful is 'lsof'. This will show any process that is using the filesystem.

*example

> lsof /var/netwitness

JohnSnider · ‎2021-01-29

you would need to reboot to single user mode to do everything except / (root), or boot to a live ISO and then remove them (so you are not running from those volumes

also, may want to do a wipe-a /dev/sdX (X being c or d) to and then disassemble the RAID volumes also note for the external volumes, you can use the Appliance rest port command sot remove the volumes and then remove the RAID configs