Please follow the below steps to move the UEBA host from the old Admin Server to the new Admin Server

Note: These procedures ensure that all user data, including entities and alerts, is retained after migrating to the new Admin Server

From the old or existing Admin Server:

1. Log in to the NetWitness Platform.
2. Go to Image description (Admin) > Hosts.
3. Select the UEBA host and click Image description > Remove Host.
4. SSH to the UEBA server.
5. Get the UUID of the UEBA host by running the following command:

# cat /etc/salt/minion

6. SSH to the Admin server and run the following command to remove the salt-key entry.

# orchestration-cli-client --remove-key <UEBA UUID displayed from the previous step>

Example:
# orchestration-cli-client --remove-key 1ccdcd88-3815-40f0-8fa1-6476b4a4c2f7

7. Run the following command on the Admin server to remove the RabbitMQ federations for the host.

#rabbitmqctl -q clear_parameter -p /rsa/system federation-upstream carlos-upstream-<UEBA UUID displayed previously>

Example:
# rabbitmqctl -q clear_parameter -p /rsa/system federation-upstream carlos-upstream-1ccdcd88-3815-40f0-8fa1-6476b4a4c2f7

1. SSH to the UEBA server.
2. Stop the following services:

• presidio-ui
• presidio-manager
• presidio-output
• presidio-configserver
• airflow-webserver
• airflow-scheduler
• mongod
• rsa-nw-node-infra-server
• rabbitmq-server

# systemctl stop presidio-manager presidio-output presidio-configserver airflow-webserver airflow-scheduler presidio-ui
# systemctl stop mongod rsa-nw-node-infra-server rabbitmq-server

3. Move the following files to the /tmp directory by running the following commands:

# mv /etc/salt/pki/minion/minion_master.pub /tmp
# mv /etc/netwitness/platform /tmp
# mv /etc/netwitness/security-cli /tmp
# mv /etc/netwitness/security-client /tmp
# mv /etc/netwitness/presidio /tmp
# mv /etc/netwitness/node-infra-server /tmp
# mv /etc/pki/nw /tmp

4. Create a directory named mongo on /etc/netwitness/platform location using the following command:

# mkdir -p /etc/netwitness/platform/mongo

5. Create blank mongo.registered file by running the following command:

# touch /etc/netwitness/platform/mongo/mongo.registered

6. Move the following files to the /tmp directory by running the following commands:

# mv /etc/systemd/system/rsa-nw-node-infra-server.service.d /tmp
# mv /etc/systemd/system/elasticsearch.service.d /tmp
# mv /etc/systemd/system/postgresql.service.d /tmp

7. Run the following command to refresh the unit files:

# systemctl daemon-reload

8. Remove the security and orchestration cli package using the following command:

# yum remove -y rsa-nw-security-cli rsa-nw-orchestration-cli

9. Run the nwsetup-tui command on the UEBA host.
10. (Optional) Once the nwsetup-tui process has been completed successfully, you may need to update /etc/hosts on the UEBA device to include the IP and hostnames of the Admin server. If you notice that the entry is missing, you must add in UEBA.

• SSH to the UEBA server.
• Add the following line in /etc/hosts:

<Admin Server IP> nw-node-zero <Admin Server uuid> <Admin Server uuid>.netwitness nw-node-zero.netwitness

Example:
10.11.12.10 nw-node-zero 1ccdcd88-3815-40f0-8fa1-6476b4a4c2f7 1ccdcd88-3815-40f0-8fa1-6476b4a4c2f7.netwitness nw-node-zero.netwitness

# cat /etc/salt/minion 

# systemctl restart salt-minion

From the new Admin Server UI:

1. Discover the migrated UEBA host in the NetWitness Platform UI.
2. Select the UEBA host and install the UEBA service from the Category drop-down menu.
3. Go to Users > Entities or Alerts page and verify if all the information is displayed correctly.