This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by NetWitness experts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA Security Analytics - Unable to add a DAC to the Security Analytics Warehouse (SAW) node

Article Number

000001470

Applies To

RSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics Data Warehouse
RSA Version/Condition: 10.4.X, 10.5.X, 10.6.X
Platform: CentOS
O/S Version: 6
 

Issue

When a DAC has to be added to the SAW node, running the NwArrayConfig.py script results in the following errors:

In RSA Security Analytics version 10.4.X: 
[root@WAREHOUSE4 arrayCfg]# ./NwArrayConfig.py --action add --service saw
Failed!: SAW appliances do not support extending storage.
 
In RSA Security Analytics version 10.5.X and above: 
[root@WAREHOUSE4 saTools]# ./NwArrayConfig.py
Failed!: The service type mapr is not one of the services supported for external storage configuration
  

 

Cause

This is due to the "saw" service details missing in the /opt/rsa/saTools/appliance/RAID/arrayDefs.py script.

Resolution

The /opt/rsa/saTools/appliance/RAID/arrayDefs.py script will be updated with the "saw" service details in RSA NetWitness version 11.0.

Workaround

To add a DAC to the SAW server, follow the steps below:

  1. Log in to the SSH session of the SAW server as an administrator.
  2. In RSA Security Analytics versions 10.5.0.0 and above, the rsa-sa-tools package is available by default.

    However, RSA Security Analytics version 10.4.x requires that this package be installed manually.

    Note: The rsa-sa-tools-10.5.0.0.44-1.el6.noarch package is attached to this article for installing on version 10.4.X. Upload it to the SAW server using WinSCP and install it using the command below:

     # ?yum install rsa-sa-tools-10.5.0.0.44-1.el6.noarch

     

  3. Use the commands below to edit the arrayDefs.py file. 
    # cd /opt/rsa/saTools/appliance/RAID/

# vi arrayDefs.py
  4. When editing the file: 
    Change the line below 
    from: 
    NwStrgSrvcs = ['decoder', 'logdecoder', 'concentrator', 'archiver', 'hybrid']
    to: 
    NwStrgSrvcs = ['decoder', 'logdecoder', 'concentrator', 'archiver', 'hybrid', 'saw']
      
    Change the section below 
from:

    # Function which returns a list of DBs and a list of services for appliance type.

def get_srvc():
    global ApplType, MySrvcLst, theDbDir, SsnRto
    MySrvcLst = []
    theDbDir = []
    theDecoder = ''
    theRslt = GetResp("/bin/rpm -qa|egrep "
                      "'(saw|mapr-emc|concentrator|(log)*decoder(10g)*|archiver|esa-server)-[0-9]'")[0].strip().split()
    theSrvcs = findall('(saw|mapr|(?:log)*decoder|concentrator|archiver|esa-server)',lst2str(theRslt))
    debug('theSrvcs: %s' % theSrvcs)
    getDcdrTyp = search('((?:log)*decoder(?:10g)*)',lst2str(theSrvcs))
    if getDcdrTyp:
        theDecoder = getDcdrTyp.group(1)
    if 'archiver' in theSrvcs:
        MySrvcLst.append('archiver')
        theDbDir.append('database')
    if 'concentrator' in theSrvcs:
        MySrvcLst.append('concentrator')
        theDbDir.append('metadb')
    if 'logdecoder' in theSrvcs or 'decoder' in theSrvcs:
        MySrvcLst.append('%s' % theDecoder)
        theDbDir.append('packetdb')
    if 'saw' in theSrvcs or 'mapr' in theSrvcs:
        MySrvcLst.append('saw')
    if len(theSrvcs) == 2 and 'concentrator' in theSrvcs and ('logdecoder' in theSrvcs or 'decoder' in theSrvcs):
        ApplType = 'hybrid'
    elif len(theSrvcs) == 1:
        ApplType = theSrvcs[0]
    else:
        ApplType = ''
    info('Service set to "%s"' % ApplType)
    return theSrvcs

    to: 
    # Function which returns a list of DBs and a list of services for appliance type.

def get_srvc():
    global ApplType, MySrvcLst, theDbDir, SsnRto
    MySrvcLst = []
    theDbDir = []
    theDecoder = ''
    theRslt = GetResp("/bin/rpm -qa|egrep "
                      "'(saw|mapr-emc|concentrator|(log)*decoder(10g)*|archiver|esa-server)-[0-9]'")[0].strip().split()
    theSrvcs = findall('(saw|mapr|(?:log)*decoder|concentrator|archiver|esa-server)',lst2str(theRslt))
    debug('theSrvcs: %s' % theSrvcs)
    getDcdrTyp = search('((?:log)*decoder(?:10g)*)',lst2str(theSrvcs))
    if getDcdrTyp:
        theDecoder = getDcdrTyp.group(1)
    if 'archiver' in theSrvcs:
        MySrvcLst.append('archiver')
        theDbDir.append('database')
    if 'concentrator' in theSrvcs:
        MySrvcLst.append('concentrator')
        theDbDir.append('metadb')
    if 'logdecoder' in theSrvcs or 'decoder' in theSrvcs:
        MySrvcLst.append('%s' % theDecoder)
        theDbDir.append('packetdb')
    if 'saw' in theSrvcs or 'mapr' in theSrvcs:
        MySrvcLst.append('saw')
    if len(theSrvcs) == 2 and 'concentrator' in theSrvcs and ('logdecoder' in theSrvcs or 'decoder' in theSrvcs):
        ApplType = 'hybrid'
    elif len(theSrvcs) == 1:
        ApplType = theSrvcs[0]
        ApplType = 'saw' if ApplType == 'mapr' else ApplType
    info('Service set to "%s"' % ApplType)
    return theSrvcs
  5. Save the file by pressing the "ESC" key and then typing: wq! on the keyboard.
  6. Run the following command to add the DAC. 
    ./NwArrayConfig.py
  7. Verify the lsblk command output to see the newly added disks from the DAC addition.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2022-02-10 01:47 PM
Updated by:
Administrator Administrator

Related Content

© 2022 RSA Security LLC or its affiliates. All rights reserved.