Uninstall New Health and Wellness

To uninstall New Health and Wellness, perform the following:

  1. Take a backup of NetWitness Server host. For more information, see “Disaster Recovery (Back Up and Restore)” topic in the NetWitness Recovery Tool User Guide.

    nw-recovery-tool --export --dump-dir /some/folder --category AdminServer --category Search

    Note: If New Health and Wellness is not installed on NetWitness Server, you must take a backup of the host on which New Health and Wellness is installed.

  2. Make sure that the installation or upgrades are not in progress and stop the orchestration server on NetWitness Server host:

    systemctl stop rsa-nw-orchestration-server

  3. Remove the New Health and Wellness service category (“Search") from the host:

    1. SSH to Admin server

    2. Fetch host details where New Health and Wellness is installed using the following command:
      mongo localhost/orchestration-server -u deploy_admin -p <deploy_admin-password> --authenticationDatabase admin --eval 'db.host.find({ "installedServices": /.*Search.*/i })'

      Sample output

      { "_id" : "56f2a90b-1f03-d09a-fb71-42c2a93958a8", "hostname" : "10.10.10.11", "ipv4" : "10.10.10.11", "ipv4Public" : "", "displayName" : "adminserver", "version" : { "major" : 11, "minor" : 5, "servicePack" : 0, "patch" : 0, "snapshot" : false, "rawVersion" : "11.5.2.0" }, "lastFailedRefreshAttempt" : NumberLong(0), "refreshAttemptDelayFactor" : 0, "thirdParty" : false, "installedServices" : [ "Search", "AdminServer" ], "meta" : { "node-zero" : true }, "_class" : "com.rsa.asoc.orchestration.host.HostEntity" }

    3. Remove the "Search" from the installedServices.

    IMPORTANT: Do not remove any other category names.

    1. Replace <LIST-OF-CATEGORIES-EXCEPT-SEARCH> with a comma-delimited AND double-quoted list of all the existing installed services found earlier EXCEPT "Search":
      mongo localhost/orchestration-server -u deploy_admin -p <deploy_admin-password> --authenticationDatabase admin --eval 'db.host.update({ "_id" : "<hw-node-uuid>" },{$set: {"installedServices" : [ <LIST-OF-CATEGORIES-EXCEPT-SEARCH> ]}})'

      Example
      mongo localhost/orchestration-server -u deploy_admin -p netwitness --authenticationDatabase admin --eval 'db.host.update({ "_id" : "56f2a90b-1f03-d09a-fb71-42c2a93958a8" },{$set: {"installedServices" : [ "AdminServer" ]}})'

      Sample output

      MongoDB shell version v4.0.19

      connecting to: mongodb://localhost:27017/orchestration-server?authSource=admin&gssapiServiceName=mongodb

      Implicit session: session { "id" : UUID("04e32380-347e-4b7d-a63e-a094536d7242") }

      MongoDB server version: 4.0.19

      WriteResult({ "nMatched" : 1, "nUpserted" : 0, "nModified" : 1 })

    2. Make sure that the "Search" category is removed in the updated host record in the installedServices :

      mongo localhost/orchestration-server -u deploy_admin -p <deploy_admin-password> --authenticationDatabase admin --eval 'db.host.find({ "_id" : "<hw-node-uuid>" })'

      Example

      mongo localhost/orchestration-server -u deploy_admin -p netwitness --authenticationDatabase admin --eval 'db.host.find({ "_id" : "56f2a90b-1f03-d09a-fb71-42c2a93958a8" })'

    Note: Any inconsistencies can result in unrecoverable errors.

    Sample output

    { "_id" : "56f2a90b-1f03-d09a-fb71-42c2a93958a8", "hostname" : "10.10.10.11", "ipv4" : "10.10.10.11", "ipv4Public" : "", "displayName" : "adminserver", "version" : { "major" : 11, "minor" : 5, "servicePack" : 0, "patch" : 0, "snapshot" : false, "rawVersion" : "11.5.2.0" }, "lastFailedRefreshAttempt" : NumberLong(0), "refreshAttemptDelayFactor" : 0, "thirdParty" : false, "installedServices" : [ "AdminServer" ], "meta" : { "node-zero" : true }, "_class" : "com.rsa.asoc.orchestration.host.HostEntity" }

  4. Stop the New Health and Wellness services:

    systemctl stop rsa-nw-metrics-server elasticsearch opendistro-performance-analyzer kibana

  5. Disable the New Health and Wellness services:

systemctl disable rsa-nw-metrics-server elasticsearch opendistro-performance-analyzer kibana

  1. Uninstall the New Health and Wellness packages using the command:

    yum erase -y rsa-nw-metrics-server opendistroforelasticsearch opendistroforelasticsearch-kibana

    Note: rsa-nw-shell (installed with metrics server) is a shared package and should not be removed.

  2. Remove the configuration folders or files:
    • /etc/netwitness/metrics-server
    • /etc/netwitness/platform/elasticsearch
    • /etc/netwitness/platform/nodeinfo/metrics-server
    • /etc/netwitness/platform/nodeinfo/elasticsearch-open-distro
    • /etc/netwitness/platform/nodeinfo/kibana-open-distro
    • /etc/systemd/system/rsa-nw-metrics-server.service.d
    • /etc/systemd/system/elasticsearch.service.d
    • /etc/pki/nw/service/bootstrap/metrics-server.completed
    • /etc/pki/nw/service/rsa-nw-metrics-server-cert.pem
    • /etc/pki/nw/service/rsa-nw-metrics-server.chain
    • /etc/pki/nw/elastic
    • /etc/pki/nw/kibana
    • /var/log/netwitness/metrics-server
    • /var/log/kibana
    • /etc/collectd.d/rsa-metrics-server.conf
    • /etc/logrotate.d/kibana
    • /etc/elasticsearch
    • /etc/kibana
    • /var/lib/elasticsearch
    • /var/lib/kibana
    • /var/netwitness/elasticsearch

  3. Start the orchestration Server on NetWitness Server:
    systemctl start rsa-nw-orchestration-server

  4. Unregister the New Health and Wellness from the installedService:

    1. Find the service IDs for metrics-server, elasticsearch-open-distro, and kibana-open-distro

      Note: Make sure you look for service IDs for the correct host; do not unregister elastic or kibana on an UEBA host.

      orchestration-cli-client --list-services | grep <hw-node-IP-address>

      Sample output

      ID=50082d04-320c-4ce2-8379-00f38ae2d1df, NAME=metrics-server, HOST=192.168.1.2:7018, TLS=true

      ID=530ff46a-8793-4e8e-be9c-742193d1705a, NAME=elasticsearch-open-distro, HOST=192.168.1.2:9200, TLS=true

      ID=4bad6ea8-e3a4-46ab-a342-34356bea65bb, NAME=kibana-open-distro, HOST=192.168.1.2:5601, TLS=true

      ... (other services) ...

    2. Remove the service IDs returned above for metrics-server, elasticsearch-open-distro, and kibana-open-distro (associated with New Health new Wellness host):

      orchestration-cli-client --remove-service --id <metrics-server-service-id>

      orchestration-cli-client --remove-service --id <elasticsearch-open-distro-service-id>

      orchestration-cli-client --remove-service --id <kibana-open-distro-service-id>

    3. Verify if the services are removed:

      orchestration-cli-client --list-services | grep <hw-node-IP-address>

  5. On all hosts, except for UEBA, stop and disable metricbeat:

    systemctl stop metricbeat

    systemctl disable metricbeat

    Note: For NetWitness Platform without UEBA, you can stop and disable metricbeat on all hosts through salt:
    salt '*' cmd.run 'systemctl stop metricbeat && systemctl disable metricbeat'

  6. (Optional) - If you are not reinstalling New Health and Wellness (on same or other hosts), you can also remove metricbeat package and configuration:
    1. Package to uninstall:
      metricbeat
    2. Service configurations to uninstall:

      • /etc/metricbeat

      • /var/log/metricbeat

      • mongo account

      • systemd configuration

  1. Refresh the New Health and Wellness host:
    nw-manage --refresh-host --host-key <node-ip>
    Make sure that the New Health and Wellness service is not installed or running and metricbeat service is not active on the New Health and Wellness host.

  2. If you are not reinstalling New Health and Wellness on another host, you must refresh UI hosts (NetWitness Server host and Analyst UI) to update NGNIX:

    nw-manage --refresh-host --host-key <node-ip>

Note: After uninstalling New Health and Wellness, if you want to install New Health and Wellness again, see "New Health and Wellness" in the Deployment Guide.