Article Number
000034030
Applies To
RSA Product Set: NetWitness Logs and Packets (formerly Security Analytics)
RSA Product/Service Type: Packet Decoder
RSA Version/Condition: 10.3.x, 10.4.x, 10.5.x, 10.6.x
Platform: CentOS
O/S Version: EL6
Issue
Some Packet Decoders that were configured between March of 2015 and August of 2016 could contain one or multiple RAID 0 (stripped) configured decodersmall volume group(s). The volume group may contain the metadb, sessiondb, and index files for a packet decoder. In this configuration an issue can occur if one of the hard drives within the array fails as RAID 0 contains no redundancy or hot spares.
Some Symptoms of this Failure:
- I/O error messages within /var/log/messages and dmsg related to the metadb, sessiondb and/or index files
- The decoder stops capture unexpectedly or will not stay running when restarted
- Running pvscan, vgscan or lvscan produces I/O error messages of devices being inaccessible
Task
This article will outline the steps required to reconfigure a working Packet Decoder’s decodersmall volume group from a RAID 0 (stripped) configuration to a RAID 1 (mirrored) configuration.
Resolution
Follow the attached document to determine if your RSA NetWitness Packet Decoders are affected by this RAID 0 misconfiguration.
If your environment is affected, remember to download the accompanying script to fix this issue.
If there are any questions regarding any issues that appear while performing any of these steps, stop and contact RSA NetWitness Support at support@rsa.com.
Document: NW-Decoder-RAID-0-Reconfig-Script.pdf
Script: reconfig_raid0-1.sh.zip
