NetWitness Community

VishamRawat · ‎2019-09-11

Upgrade from RSA SA 10.6.6 to NetWitness 11.3. I've run the backup script, and am getting the following error for 4 of my 18 machines, others are fine.

2019-09-10 18:32:47 +0100 | 29554 | Backing up ETC(/etc) files from: VLC
2019-09-10 18:32:55 +0100 | 29554 | WARNING: Errors occurred while backing up /etc directory.
2019-09-10 18:32:55 +0100 | 29554 | Verify contents of VLC-10.10.10.11-etc.tar.gz
2019-09-10 18:32:55 +0100 | 29554 | Located in /var/netwitness/database/nw-backup/2019-09-10/VLC-10.10.10.11-backup.tar.gz

I looked up another thread on a similar error. However, in my case on running the lsattr command on the /etc folder, I don't find any -------i------ flagged files.

This usually happens when something changes in the directory in the course of the backup, or there is file or folder with the immutable flag set.

lsattr /root

lsattr /etc/ssh

if any of the files show an ------i------- then the immutable flag is set and you need to remove it using

chattr -i <filename>

JohnSnider · ‎2019-09-16

You may have done this, but recursively check for immutable files

lsattr -R /etc | less

if nothing shows a -----i------- then try the following:

Manually back up the files in /etc just to see if you get a more detailed error, SSH to the box and run the same tar command used in the script, but to a local file: /tmp/etc-backup.tar.gz and verbose mode.

cd / && tar --atime-preserve --recursion -cvpzf /tmp/etc-backup.tar.gz --exclude=/etc/sysconfig/networking --exclude=/etc/udev --exclude=/etc/ssh --exclude=/etc/mtab --exclude=/etc/puppet --exclude=/etc/netwitness /var/spool/cron /etc"

NetWitness Community

RSA SA 10.6.6 Backup - Error backing /etc directory