Recurring IPDB Extractor Error Messages in RSA Security Analytics even though the IPDB Extractor is not being used.
The /var/log/messages file may produce recurring error messages similar to the following:
[ipdbextractorinit] [failure] Failed to read dir file from location /var/netwitness/ipdbextractor/devicelocation/global/local/directory
[ipdbextractorinit] [failure] Ensure that the .dir file exists in the path as mentioned in the config"Mount point of the .dir file". Extractor will retry reading the .dir file after 1 minute.
Note: If there is no RSA enVIsion IPDB present in the environment, then you can safely uninstall this service to provide greater resources to the RSA Security Analytics server. This is particularly useful on AIO appliances.
The following line temporarily prevents collectd and the nwipdbextractor services from being restarted by automatic puppet agent runs
# service puppet stop
# service collectd stop
# stop nwipdbextractor
# yum remove nwipdbextractor
# mv /etc/init/nwipdbextractor.conf /etc/init/nwipdbextractor.conf.disabled
# mv /etc/collectd.d/NwIPDBExtractor.conf /etc/collectd.d/NwIPDBExtractor.conf.disabled
# find /etc/netwitness/ng -name 'NwIpdbextractor.cfg' -type f -exec mv {} {}.disabled \;
# cp /etc/puppet/modules/ipdbextractor/manifests/init.pp /etc/puppet/modules/ipdbextractor/manifests/init.pp.bak
# sed -ri 's/installed/absent/' /etc/puppet/modules/ipdbextractor/manifests/init.pp
Show classes
# echo 'db.nodes.find({"node":"'$(/etc/puppet/scripts/node_id.py)'"})' | mongo puppet
Assuming services shown under classes are:
"classes" : { "reporting-engine" : "", "saserver" : "", "appliance" : "", "broker" : "", "ipdbextractor" : "", "incident-management" : "", "malware-analysis-colo" : "", "concentrator" : "", "logdecoder" : "", "logcollector" : "", "base" : "" }
Note: On a non AIO you typically don't see concentrator, decoder, logdecoder or logcollector services.
The next line is necessary as addService.py checks for puppet agent status
# puppet agent --noop --daemonize
Based on the above classes, the command would be:
# /etc/puppet/scripts/addService.py $(/etc/puppet/scripts/node_id.py) reporting-engine,saserver,appliance,broker,incident-management,malware-analysis-colo,concentrator,logdecoder,logcollector,base
The following command will restart collectd as well:
# service puppet restart