Article Number
000002127
Applies To
RSA Product Set: NetWitness Platform XDR
RSA Product/Service Type: User Entity Behavior Analytics
RSA Version/Condition: 12.1
RSA Product/Service Type: User Entity Behavior Analytics
RSA Version/Condition: 12.1
Issue
If you upgrade the UEBA host to 12.1 without performing Elasticsearch data backup (using the Elasticsearch migration tool), the data such as Users, Entities, Alerts, and Indicators will be lost.
Task
You must follow these steps before upgrading the UEBA host to 12.1.
1. Make sure the following prerequisites are met before you perform data backup.
• The current Elasticsearch version must be 5.5.0.
• Presidio rpms version must be less than or equal to 12.0.
• ueba_es_migration_tool.zip file must be downloaded.
Note: ueba_es_migration_tool allows you to migrate presidio Elasticsearch data from Elasticsearch version 5.5.0 to 7.15.2 while upgrading the UEBA host to 12.1 from 12.0 and older versions. This tool contains elk-migration-script.sh file and presidio-elk-migration-1.0.0.jar file and it can be downloaded from https://community.netwitness.com/t5/netwitness-platform-downloads/ueba-elasticsearch-migration-tool/ta-p/687496
2. Select the available directory and unzip the ueba_es_migration_tool.zip file.
3. Go to directory ueba_es_migration_tool and run the script.
cd ueba_es_migration_tool
sh elk-migration-script.sh
The Elasticsearch migration tool guide is displayed.
![]()
4. Select Export documents from elasticsearch 5.5.0 and enter yes when prompted to stop the airflow scheduler.
Note: When you enter yes, the airflow scheduler stops consuming the fresh incoming data such as Users, Entities, and Alerts. This avoids data loss during the export process.
5. In the next step, select Fresh Export to export the existing data.
![]()
Note:
1. If the Export operation fails due to some technical issue, select Resume Export once the issue is resolved, to resume the Export operation.
2. Go to <backup_directory_path>/log/log/es-migration-export.log if you want to view the log for the succeeded or failed processes.
Once the Export operation is completed, do the following:
1. Upgrade the UEBA host to 12.1.
2. Import the data from Elasticsearch data backup folder.
For more information, see NetWitness Upgrade guide for 12.1
1. Make sure the following prerequisites are met before you perform data backup.
• The current Elasticsearch version must be 5.5.0.
• Presidio rpms version must be less than or equal to 12.0.
• ueba_es_migration_tool.zip file must be downloaded.
Note: ueba_es_migration_tool allows you to migrate presidio Elasticsearch data from Elasticsearch version 5.5.0 to 7.15.2 while upgrading the UEBA host to 12.1 from 12.0 and older versions. This tool contains elk-migration-script.sh file and presidio-elk-migration-1.0.0.jar file and it can be downloaded from https://community.netwitness.com/t5/netwitness-platform-downloads/ueba-elasticsearch-migration-tool/ta-p/687496
2. Select the available directory and unzip the ueba_es_migration_tool.zip file.
3. Go to directory ueba_es_migration_tool and run the script.
cd ueba_es_migration_tool
sh elk-migration-script.sh
The Elasticsearch migration tool guide is displayed.
4. Select Export documents from elasticsearch 5.5.0 and enter yes when prompted to stop the airflow scheduler.
Note: When you enter yes, the airflow scheduler stops consuming the fresh incoming data such as Users, Entities, and Alerts. This avoids data loss during the export process.
5. In the next step, select Fresh Export to export the existing data.
Note:
1. If the Export operation fails due to some technical issue, select Resume Export once the issue is resolved, to resume the Export operation.
2. Go to <backup_directory_path>/log/log/es-migration-export.log if you want to view the log for the succeeded or failed processes.
Once the Export operation is completed, do the following:
1. Upgrade the UEBA host to 12.1.
2. Import the data from Elasticsearch data backup folder.
For more information, see NetWitness Upgrade guide for 12.1
Resolution
If you fail to perform Elasticsearch data backup and lose all the data after upgrading the UEBA host
to 12.1, follow these steps to recover the lost data.
1. Go to /var/netwitness/ after upgrading the UEBA host to 12.1.
2. Copy backup-elasticsearch-xxxx (mandatory) and backup-elasticsearch-recover-xxxx
(If it is available) directories to /var/netwitness/ in your UEBA lab (on version 12.0 or older versions).
Note:
• If you do not have a UEBA lab setup for version 12.0 or older versions, contact NetWitness.
• NetWitness requires your permission to copy the directories to /var/netwitness/ in NetWitness UEBA lab for recovering the lost data.
3. Rename the backup-elasticsearch-xxxx directory as elasticsearch. Run the following command.
cd /var/netwitness
rm -r elasticsearch
mv backup-elasticsearch-xxxx elasticsearch
chown -R elasticsearch:elasticsearch elasticsearch
systemctl start elasticsearch
4. Rename the backup-elasticsearch-recover-xxxx directory as elasticsearch-recover. Run the following command.
Important: If backup-elasticsearch-recover-xxxx directory is not available, do not run the below command.
cd /var/netwitness
rm -r elasticsearch-recover
mv backup-elasticsearch-recover-xxxx elasticsearch
chown -R root:elasticsearch elasticsearch-recover
systemctl start elasticsearch
5. Restart the Elasticsearch 5.5.0. Run the following command.
systemctl restart elasticsearch.service
6. Follow the steps provided in the Elasticsearch migration tool guide to export Elasticsearch
presidio data.
7. Once the Elasticsearch presidio data Export operation is completed, copy the backup
directories to your UEBA host.
8. Import Elasticsearch presidio data. For more information, see Post Upgrade Tasks topic in the NetWitness Upgrade guide for 12.1.
to 12.1, follow these steps to recover the lost data.
1. Go to /var/netwitness/ after upgrading the UEBA host to 12.1.
2. Copy backup-elasticsearch-xxxx (mandatory) and backup-elasticsearch-recover-xxxx
(If it is available) directories to /var/netwitness/ in your UEBA lab (on version 12.0 or older versions).
Note:
• If you do not have a UEBA lab setup for version 12.0 or older versions, contact NetWitness.
• NetWitness requires your permission to copy the directories to /var/netwitness/ in NetWitness UEBA lab for recovering the lost data.
3. Rename the backup-elasticsearch-xxxx directory as elasticsearch. Run the following command.
cd /var/netwitness
rm -r elasticsearch
mv backup-elasticsearch-xxxx elasticsearch
chown -R elasticsearch:elasticsearch elasticsearch
systemctl start elasticsearch
4. Rename the backup-elasticsearch-recover-xxxx directory as elasticsearch-recover. Run the following command.
Important: If backup-elasticsearch-recover-xxxx directory is not available, do not run the below command.
cd /var/netwitness
rm -r elasticsearch-recover
mv backup-elasticsearch-recover-xxxx elasticsearch
chown -R root:elasticsearch elasticsearch-recover
systemctl start elasticsearch
5. Restart the Elasticsearch 5.5.0. Run the following command.
systemctl restart elasticsearch.service
6. Follow the steps provided in the Elasticsearch migration tool guide to export Elasticsearch
presidio data.
7. Once the Elasticsearch presidio data Export operation is completed, copy the backup
directories to your UEBA host.
8. Import Elasticsearch presidio data. For more information, see Post Upgrade Tasks topic in the NetWitness Upgrade guide for 12.1.
In this article
