This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
NetWitness Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by NetWitness experts.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- NetWitness Community
- Knowledge Base
- Guide for Replacing the Entire Chassis on an RSA NetWitness Appliance Running CentOS 7
-
Options
- Subscribe to RSS Feed
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Guide for Replacing the Entire Chassis on an RSA NetWitness Appliance Running CentOS 7
Article Number
000001127
Applies To
RSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: RSA Series 4S, Series 5 and Series 6 Appliances
Operating System: CentOS 7
RSA Product/Service Type: RSA Series 4S, Series 5 and Series 6 Appliances
Operating System: CentOS 7
Issue
This KB outlines a process written for appliances running CentOS 7. The process is different for appliances running CentOS 6 which is explained in KB 34514.
An RSA NetWitness Series 4S, Series 5 or Series 6 appliance has failed but all disk drives are fully functional and contain valid configuration information for the failed host. Note that Series 4S appliances will reach the end of life and end of product support in June 2019.
This process assumes any SD Cards in an RSA NetWitness Series 4S have been disabled in the appliance and are not in use. Series 5 and Series 6 appliances never use SD Cards.
Note that you may encounter exceptions to this flow and this document does not necessarily cover every set of circumstances you might encounter. If you encounter a problem and are unsure how to proceed please contact Support for guidance.
An RSA NetWitness Series 4S, Series 5 or Series 6 appliance has failed but all disk drives are fully functional and contain valid configuration information for the failed host. Note that Series 4S appliances will reach the end of life and end of product support in June 2019.
This process assumes any SD Cards in an RSA NetWitness Series 4S have been disabled in the appliance and are not in use. Series 5 and Series 6 appliances never use SD Cards.
Note that you may encounter exceptions to this flow and this document does not necessarily cover every set of circumstances you might encounter. If you encounter a problem and are unsure how to proceed please contact Support for guidance.
Resolution
You can use these steps to complete the process of swapping the drives from an old appliance into a new appliance.
Preparation:
Swapping the Hardware:
Verify the appliance is operational at the ssh prompt and at the Security Analytics WebUI.
Preparation:
- Start the new Core or Hybrid appliance connected to a crash cart. It does not have to be connected to the network for this step.
- Review /etc/udev/rules.d/71-biosdevname.rules and note which MAC addresses are assigned to which network interface. This may help when modifying this file after replacing the chassis.
- OPTIONAL: Configure the iDRAC interface in the new Core or Hybrid appliance to match the iDRAC configuration in the existing appliance. When you swap the appliances you will have access to the new appliance using the same IP Address. DO NOT implement this step if both iDRAC interfaces will be live at the same time.
Swapping the Hardware:
- Label each drive denoting which bay it is installed in on the existing Core or Hybrid appliance.
- Label each drive denoting which bay it is installed on the new Core or Hybrid appliance.
- Remove the drives from the new Core or Hybrid and set aside.
- Install the drives from the existing Core or Hybrid into the same drive bay in the new Core or Hybrid appliance.
- Remove the existing appliance from the rack.
- Install the new appliance in the rack.
- Connect power, network, SAS and iDRAC cables.
- Turn on the appliance.
- If prompted for a BIOS password, use the default "rsabios" password.
- During POST, if you encounter "There are offline or missing virtual drives with preserved cache" you must boot into the RAID configuration utility and clear the cached memory. Use this link for additional information on this step.
- During POST, if you encounter drives found in a "foreign" configuration, import those drives when prompted on the POST screen which may look like the following.
Verify the appliance is operational at the ssh prompt and at the Security Analytics WebUI.
Notes
Changing the /etc/udev/rules.d/71-biosdevname.rules File
Make a backup of the file before making any changes in case you need to refer to the original configuration later. Copy or rename the /etc/udev/rules.d/71-biosdevname.rules to /etc/udev/rules.d/71-biosdevname.rules.bak
Manually edit the /etc/udev/rules.d/71-biosdevname.rules file to replace the MAC addresses from the old appliance with the MAC addresses from the new appliance.
Once you delete the old file or older lines, save the file.
Reboot the server and verify the MAC addresses in the 71-biosdevname.rules file match the new MAC addresses and that the interface names are what you intended.
Sample File: /etc/udev/rules.d/71-biosdevname.rules
Changing the /etc/sysconfig/network-scripts/ifcfg files.
You also will need to update the various ifcfg-<nic> name files as well.
For example; the Series 4 system have NIC called eth0, for S5 and S6, this will be called em1.
the contents of the file contains various variables that also will have to be updated with new NIC name and the MAC address.
In particular the NAME and HWADDR or MACADDR will need to be changed as well.
(Sample file of ifcfg-em1 file below, certain files will contain additional or less variables. This is an example of how the name,HWADDDR and device variable need to be changed to reflect new chassis.)
TYPE=Ethernet
NAME=em1
UUID=<keep existing number>
DEVICE=em1
HWADDR=78:01:02:03:04:05
BOOTPROTO=none
IPADDR=10.1.2.3
NETMASK=255.255.0.0
GATEWAY=10.0.0.1
NM_CONTROLLED=no
ONBOOT=yes
PEERDNS=yes
After changing the contents of the file reboot, check the file, verify the interfaces using the ifconfig command and confirm capture starts.
Make a backup of the file before making any changes in case you need to refer to the original configuration later. Copy or rename the /etc/udev/rules.d/71-biosdevname.rules to /etc/udev/rules.d/71-biosdevname.rules.bak
Manually edit the /etc/udev/rules.d/71-biosdevname.rules file to replace the MAC addresses from the old appliance with the MAC addresses from the new appliance.
Once you delete the old file or older lines, save the file.
Reboot the server and verify the MAC addresses in the 71-biosdevname.rules file match the new MAC addresses and that the interface names are what you intended.
Sample File: /etc/udev/rules.d/71-biosdevname.rules
root@NWHost01]#vi 71-biosdevname.rules
ACTION=="add", SUBSYSTEM=="net", DRIVERS=="?*", ATTR{address}=="<ENTER NEW MAC ADDRESS>", NAME="em1"
ACTION=="add", SUBSYSTEM=="net", DRIVERS=="?*", ATTR{address}=="<ENTER NEW MAC ADDRESS>", NAME="em2"
ACTION=="add", SUBSYSTEM=="net", DRIVERS=="?*", ATTR{address}=="<ENTER NEW MAC ADDRESS>", NAME="em3"
ACTION=="add", SUBSYSTEM=="net", DRIVERS=="?*", ATTR{address}=="<ENTER NEW MAC ADDRESS>", NAME="em4"
Changing the /etc/sysconfig/network-scripts/ifcfg files.
You also will need to update the various ifcfg-<nic> name files as well.
For example; the Series 4 system have NIC called eth0, for S5 and S6, this will be called em1.
the contents of the file contains various variables that also will have to be updated with new NIC name and the MAC address.
In particular the NAME and HWADDR or MACADDR will need to be changed as well.
(Sample file of ifcfg-em1 file below, certain files will contain additional or less variables. This is an example of how the name,HWADDDR and device variable need to be changed to reflect new chassis.)
TYPE=Ethernet
NAME=em1
UUID=<keep existing number>
DEVICE=em1
HWADDR=78:01:02:03:04:05
BOOTPROTO=none
IPADDR=10.1.2.3
NETMASK=255.255.0.0
GATEWAY=10.0.0.1
NM_CONTROLLED=no
ONBOOT=yes
PEERDNS=yes
After changing the contents of the file reboot, check the file, verify the interfaces using the ifconfig command and confirm capture starts.
No ratings
