The content you are looking for has been archived. View related content below.
NOTE: The rsa-sms service is a prerequisite of the jettysrv service.
Disable this feature in RSA NetWitness 11.x by navigating Admin > Event Sources > Settings tab and deselect all checkboxes.
RSA Security Analytics 10.x
service puppet stop
This will cause the RSA NetWitness UI to become temporarily unavailable.
stop jettysrv
service rsa-sms stop
RSA NetWitness 11.x
systemctl stop nginx.service # could also use: service nginx stop
systemctl stop jetty.service # could also use: service jetty stop
systemctl stop rsa-sms.service # could also use: service rsa-sms stop
This requires that the rsa-sms service be stopped in order to obtain exclusive access to the MongoDB collection.
backup_loc=~/$(date +"%Y%m%d").esm.backup mkdir -p "$backup_loc"
mongodump -d esm -o "$backup_loc" # NW 10.X mongodump -d esm -o "$backup_loc" -u deploy_admin -p <deploy_password> --authenticationDatabase admin # NW 11.X
Example Output:
connected to: 127.0.0.1 Thu Sep 13 03:17:42.235 DATABASE: esm to /root/20180913.esm.backup/esm Thu Sep 13 03:17:42.266 esm.system.indexes to /root/20180913.esm.backup/esm/system.indexes.bson Thu Sep 13 03:17:42.267 92 objects Thu Sep 13 03:17:42.267 esm.esmalarm to /root/20180913.esm.backup/esm/esmalarm.bson Thu Sep 13 03:17:42.295 0 objects Thu Sep 13 03:17:42.295 Metadata for esm.esmalarm to /root/20180913.esm.backup/esm/esmalarm.metadata.json Thu Sep 13 03:17:42.296 esm.eventsources to /root/20180913.esm.backup/esm/eventsources.bson Thu Sep 13 03:17:42.328 18 objects Thu Sep 13 03:17:42.328 Metadata for esm.eventsources to /root/20180913.esm.backup/esm/eventsources.metadata.json Thu Sep 13 03:17:42.329 esm.esmbaselinedata to /root/20180913.esm.backup/esm/esmbaselinedata.bson Thu Sep 13 03:17:42.455 432 objects Thu Sep 13 03:17:42.456 Metadata for esm.esmbaselinedata to /root/20180913.esm.backup/esm/esmbaselinedata.metadata.json Thu Sep 13 03:17:42.456 esm.esmaggregatedata to /root/20180913.esm.backup/esm/esmaggregatedata.bson Thu Sep 13 03:17:42.574 3351 objects Thu Sep 13 03:17:42.574 Metadata for esm.esmaggregatedata to /root/20180913.esm.backup/esm/esmaggregatedata.metadata.json Thu Sep 13 03:17:42.575 esm.esmbaselineanalytics to /root/20180913.esm.backup/esm/esmbaselineanalytics.bson Thu Sep 13 03:17:42.698 0 objects Thu Sep 13 03:17:42.698 Metadata for esm.esmbaselineanalytics to /root/20180913.esm.backup/esm/esmbaselineanalytics.metadata.json Thu Sep 13 03:17:42.699 esm.esmgroup to /root/20180913.esm.backup/esm/esmgroup.bson Thu Sep 13 03:17:42.777 6 objects Thu Sep 13 03:17:42.777 Metadata for esm.esmgroup to /root/20180913.esm.backup/esm/esmgroup.metadata.json Thu Sep 13 03:17:42.777 esm.esmpolicy to /root/20180913.esm.backup/esm/esmpolicy.bson Thu Sep 13 03:17:42.777 5 objects Thu Sep 13 03:17:42.777 Metadata for esm.esmpolicy to /root/20180913.esm.backup/esm/esmpolicy.metadata.json
cd "$backup_loc"
tar cvjpf $(date +"%Y%m%d").esm.backup.tar.bz2 "$backup_loc"/esm
Example Output:
tar: Removing leading `/' from member names /root/20180913.esm.backup/esm/ /root/20180913.esm.backup/esm/esmbaselineanalytics.bson /root/20180913.esm.backup/esm/esmaggregatedata.metadata.json /root/20180913.esm.backup/esm/esmaggregatedata.bson /root/20180913.esm.backup/esm/esmgroup.metadata.json /root/20180913.esm.backup/esm/eventsources.metadata.json /root/20180913.esm.backup/esm/esmbaselinedata.metadata.json /root/20180913.esm.backup/esm/eventsources.bson /root/20180913.esm.backup/esm/esmbaselineanalytics.metadata.json /root/20180913.esm.backup/esm/esmpolicy.bson /root/20180913.esm.backup/esm/esmalarm.metadata.json /root/20180913.esm.backup/esm/esmgroup.bson /root/20180913.esm.backup/esm/esmbaselinedata.bson /root/20180913.esm.backup/esm/system.indexes.bson /root/20180913.esm.backup/esm/esmalarm.bson /root/20180913.esm.backup/esm/esmpolicy.metadata.json
Clean up by removing the uncompressed files.
rm -rf "$backup_loc"/esm
NOTE: If you don't receive the output of true then there is likely a mistake in the collection name.
RSA Security Analytics 10.x
# echo 'db.esmbaselinedata.drop()' | mongo esm TokuMX mongo shell v1.4.2-mongodb-2.4.10 connecting to: esm true bye # echo 'db.esmaggregatedata.drop()' | mongo esm TokuMX mongo shell v1.4.2-mongodb-2.4.10 connecting to: esm true bye # echo 'db.esmbaselineanalytics.drop()' | mongo esm TokuMX mongo shell v1.4.2-mongodb-2.4.10 connecting to: esm true bye
RSA NetWitness 11.x
# mongo esm -u deploy_admin -p <deploy_password> --authenticationDatabase admin MongoDB shell version v3.6.4 connecting to: mongodb://127.0.0.1:27017/esm MongoDB server version: 3.6.4 > db.esmbaselinedata.drop() true > db.esmaggregatedata.drop() true > db.esmbaselineanalytics.drop() true > exit bye
RSA Security Analytics 10.x
service rsa-sms start
start jettysrv
service puppet start
RSA NetWitness 11.x
systemctl start rsa-sms.service # could also use: service rsa-sms start
systemctl start nginx.service # could also use: service nginx start
systemctl start jetty.service # could also use: service jetty start
The dropped ESM collections may be recreated after the restart of the rsa-sms service. However, automatic monitoring should remain disabled and the collections will remain empty.
To avoid obtaining messages similar to the example below after disabling ESM Automatic monitoring, it is recommended that you restart the collectd service on all hosts running the logcollector service./var/log/messages: Sep 4 04:13:22 logdecoder1 collectd[3960]: NgEsmReader_all: error getting ESM data for field "source" for device=ciscorouter. Reason: uninitialized
mco service collectd restartExample Output
Do you really want to operate on services unfiltered? (y/n): y * [ ============================================================> ] 12 / 12 Summary of Service Status: running = 12 Finished processing 12 / 12 hosts in 23682.16 ms
service collectd restart # NW 10.X systemctl restart collectd.service # NW 11.X