Upgrade Instructions
You need to read the information and follow these procedures for upgrading NetWitness version 12.2.0.1.
Upgrade Path | Downloads Required |
---|---|
From 11.6.1.3, 11.6.1.4, 11.7.0.0, 11.7.0.1, 11.7.0.2, 11.7.1.0, 11.7.1.1, 11.7.1.2, 11.7.2.0, 11.7.3.0, 12.0.0.0, 12.1.0.0, 12.1.0.1, and 12.1.1.0 to 12.2.0.1 |
|
From 12.2.0.0 to 12.2.0.1 |
|
You can upgrade 12.2.0.1 patch using one of the following options:
- If the NetWitness Server has internet connectivity to Live Services, the NetWitness Platform User Interface can be used to apply the patch.
- If the NetWitness Server does not have internet connectivity to Live Services, the Command Line Interface (CLI) or the NetWitness Platform User Interface can be used to apply the patch.
Note: If you are using S4s device that utilizes SD cards, SSH to NW Server and run the following command before starting the upgrade process.
manage-stig-controls --disable-control-groups 7 --host-id <node uuid>.
Running in Mixed Mode
Running in mixed mode occurs when some services are upgraded to the latest version and some services are on older versions. For more information see the topic "Running in Mixed Mode" in the NetWitness Platform Hosts and Services Getting Started Guide.
Note: If you are running Endpoint Log Hybrid in mixed mode, makesure that Endpoint Broker is on the same version as one of the Endpoint Servers.
Upgrade Tasks
Important Notes
This section lists few important notes you must read before proceeding with the upgrade tasks.
Synchronize Time on Component Hosts with NW Server Host
Before upgrading your hosts, make sure that the time on each host is synchronized with the time on the NetWitness Server.
To synchronize the time, do one of the following:
- Configure the NTP Server. For more information, see "Configure NTP Servers" in the System Configuration Guide.
- Perform the following steps on each host:
- SSH to the Admin Server host.
-
Run the following commands.
salt \* service.stop ntpd
salt \* cmd.run 'ntpdate nw-node-zero'
salt \* service.start ntpd
Mixed Mode Unsupported for ESA Hosts
Mixed mode is not supported for ESA hosts in NetWitness Platform XDR version. The NetWitness server, ESA primary host, and ESA secondary host must all be on the same NetWitness Platform XDR version.
Respond Server Service Not Enabled Until NW Server and Primary ESA Host Upgraded to 12.2.0.1
After upgrading the primary NW Server (including the Respond Server service), the Respond Server service is not automatically re-enabled until after the Primary ESA host is also upgraded to 12.2.0.1. The Respond post-upgrade tasks only apply after the Respond Server service is upgraded and is in the enabled state.
Task 1: Upgrade External Repository
Note: Perform the below steps only if you are using an external repository for 12.2.0.1.
To upgrade the external repository which is an externally managed server, do the following:
- Upgrade the external repository with the latest upgrade content for the NetWitness Platform XDR netwitness-12.2.0.1.zip.
The following is the structure after upgrading the external repository:
Task 2: Disable Decoder Services
Before upgrading to 12.2.0.1, you must disable Capture AutoStart option on Network Decoder and Network Hybrid Services.
To disable Capture Autostart:
- Go to (Admin) > Services.
The Administration Services view is displayed.
- Select a Network Decoder or Network Hybrid service and select > View > Config.
The services config view for the selected Network Decoder or Network Hybrid is displayed.
- In the Decoder Configuration panel, deselect the Capture Autostart and click Apply.
Task 3: Upgrade the Patch
You can choose one of the following upgrade methods based on your internet connectivity.
- Option 1: Upgrade NetWitness Platform XDR
- Option 2: Upgrade NetWitness Platform XDR Offline
- Option 3: Upgrade NetWitness Platform XDR using CLI (Offline)
- Option 4 (Optional): Pre-Stage Upgrade Repository by Downloading Packages
Upgrade Options
Option 1: Upgrade NetWitness Platform XDR
You can use this method if the NetWitness Server host is connected to Live Services and can obtain the package.
Note: If the NetWitness Server does not have access to Live Services, use Option 2: Upgrade NetWitness Platform XDR Offline or Option 3: Upgrade NetWitness Platform XDR using CLI (Offline)
Prerequisites
Make sure that:
- The Automatically download information about new upgrades every day option is selected and is applied in (Admin) > System > Updates.
- Go to (Admin) > Hosts > Update > Check for Updates to check for upgrades. The Host page displays the Update Available status.
- 12.2.0.1 is available under Update Version column.
Note: If you have custom certificates, move any custom certificates from /etc/pki/nw/trust/import/ directory to /root/cert. Follow these steps to move the certificates:
• mkdir /root/cert
• mv /etc/pki/nw/trust/import/* /root/cert
To Upgrade NetWitness Platform XDR:
- Go to (Admin) > Hosts.
- Select the NetWitness Server (nw-server) host.
-
Check for the latest updates.
Note: In 11.7.1.0 and later versions, the (optional) Pre Stage Host option is added in the Update drop-down list. For more information, see Option 4 (Optional): Pre-Stage Upgrade Repository by Downloading Packages.
- Update Available is displayed in the Status column if you have a version upgrade in your Local Update Repository for the selected host.
- Select 12.2.0.1 from the Update Version column. If you:
- Want to view a dialog with the major features in the upgrade and information on the updates, click the information icon ( ) to the right of the upgrade version number.
- Cannot find the version you want, select Update > Check for Updates to check the repository for any available updates. If an update is available, the message "New updates are available" is displayed and the Status column upgrades automatically to show Update Available. By default, only supported upgrades for the selected host are displayed.
- Click Update > Update Host from the toolbar.
- Click Begin Update.
- Click the Reboot Host when prompted.
- Repeat steps 6 to 8 for other hosts.
Note:
• You can select multiple hosts to upgrade at the same time only after updating and rebooting the NetWitness Server host. All ESA, Endpoint, and Malware Analysis hosts should be upgraded to the same version as that of NW Admin Server or NetWitness Server host.
• Not all components have been changed for 12.2.0.1, so after you perform the upgrade steps, it is normal to see some components with different version numbers. For a list of the components that were upgraded for this release, see Build Numbers.
Option 2: Upgrade NetWitness Platform XDR Offline
When you apply version upgrades:
- You must upgrade the NW Server host first.
- You can only apply a version that is compatible with the existing host version.
Download the 12.2.0.1 Patch
Download the NetWitness Platform XDR 12.2.0.1 Upgrade Pack file (netwitness-12.2.0.1.zip), which contains all the NetWitness Platform 12.2.0.1 upgrade files, from the NetWitness Community https://community.netwitness.com/t5/netwitness-platform-downloads/tkb-p/netwitness-downloads to a local directory.
Upgrading from | Download and Stage file |
---|---|
11.6.1.3, 11.6.1.4, 11.7.0.0, 11.7.0.1, 11.7.0.2, 11.7.1.0, 11.7.1.1, 11.7.1.2, 11.7.2.0, 11.7.3.0, 12.0.0.0, 12.1.0.0, 12.1.0.1, and 12.1.1.0 | netwitness-12.2.0.0.zip and netwitness-12.2.0.1.zip |
12.2.0.0 | netwitness-12.2.0.1.zip |
Note: If you get the Download Error, see the Troubleshooting information for resolution.
Task 1. Populate Staging Folder (/var/netwitness/common/update-stage) with Version Updates
- If you are upgrading from 11.6.1.3, 11.6.1.4, 11.7.0.0, 11.7.0.1, 11.7.0.2, 11.7.1.0, 11.7.1.1, 11.7.1.2, 11.7.2.0, 11.7.3.0, 12.0.0.0, 12.1.0.0, 12.1.0.1, or 12.1.1.0 to 12.2.0.1, download the netwitness-12.2.0.0.zip and netwitness-12.2.0.1.zip, upgrade package from NetWitness Community to a local directory.
- If you are upgrading from 12.2.0.0 to 12.2.0.1, download the netwitness-12.2.0.1.zip, upgrade package from NetWitness Community to a local directory.
- SSH to the NW Server host.
-
If you are upgrading from 11.6.1.3, 11.6.1.4, 11.7.0.0, 11.7.0.1, 11.7.0.2, 11.7.1.0, 11.7.1.1, 11.7.1.2, 11.7.2.0, 11.7.3.0, 12.0.0.0, 12.1.0.0, 12.1.0.1, or 12.1.1.0 to 12.2.0.1, copy netwitness-12.2.0.0.zip and netwitness-12.2.0.1.zip from the local directory to the /var/netwitness/common/update-stage/ staging folder. For example:
mv/var/netwitness/tmp/netwitness-12.2.0.0.zip /var/netwitness/common/update-stage/
mv/var/netwitness/tmp/netwitness-12.2.0.1.zip /var/netwitness/common/update-stage/
-
If you are upgrading from 12.2.0.0 to 12.2.0.1, copy netwitness-12.2.0.1.zip from the local directory to the /var/netwitness/common/update-stage/ staging folder. For example:
mv/var/netwitness/tmp/netwitness-12.2.0.1.zip /var/netwitness/common/update-stage/
Task 2. Apply Updates from the Staging Area to Each Host
Caution: You must upgrade the NW Server host before upgrading any Non-NW Server host.
- Log in to NetWitness.
- Go to (Admin) > Hosts.
-
Check for updates and wait for the update packages to be copied, validated, and ready to be initialized.
"Ready to initialize packages" is displayed if:
- NetWitness Platform can access the update package.
- The package is complete and has no errors.
Refer to Troubleshooting Version Installations and upgrades for instructions on how to troubleshoot errors (for example, "Error deploying version <version-number>" and "Missing the following update package(s)," are displayed in the Initiate Update Package for RSA NetWitness Platform dialog.)
-
Click Initialize Update.
It takes some time to initialize the packages because the files are large and need to be unzipped.
After the initialization is successful, the Status column displays Update Available and you complete the rest of the steps in this procedure to finish the update of the host. -
Click Update > Update Hosts from the toolbar.
-
Click Begin Update from the Update Available dialog.
After the host is upgraded, it prompts you to reboot the host.
- Click Reboot from the toolbar.
Option 3: Upgrade NetWitness Platform XDR using CLI (Offline)
You can use this method if the NetWitness Server host is not connected to Live Services.
Note: Alternatively, you can upgrade using the Option 2: Upgrade NetWitness Platform XDR Offline .
Download the 12.2.0.1 Patch
Download the NetWitness 12.2.0.1 Upgrade Pack file (netwitness-12.2.0.1.zip), which contains all the NetWitness 12.2.0.1 upgrade files, from the NetWitness Community https://community.netwitness.com/t5/netwitness-platform-downloads/tkb-p/netwitness-downloads to a local directory.
Upgrading from | Download and Stage file |
---|---|
11.6.1.3, 11.6.1.4, 11.7.0.0, 11.7.0.1, 11.7.0.2, 11.7.1.0, 11.7.1.1, 11.7.1.2, 11.7.2.0, 11.7.3.0, 12.0.0.0, 12.1.0.0, 12.1.0.1, and 12.1.1.0 | netwitness-12.2.0.0.zip and netwitness-12.2.0.1.zip |
12.2.0.0 | netwitness-12.2.0.1.zip |
Note: If you are using external repository, you can upgrade the external repository with the latest upgrade content. For more information see, Task 1: Upgrade External Repository.
Procedure
You need to perform the upgrade steps for NetWitness Server host and for component hosts.
Note:
• If you copy paste the commands from PDF to Linux SSH terminal, the characters do not work. It is recommended to type the commands.
• Make sure you remove the update zip file from the staging directory after it is extracted.
-
If you are upgrading from 11.6.1.3, 11.6.1.4, 11.7.0.0, 11.7.0.1, 11.7.0.2, 11.7.1.0, 11.7.1.1, 11.7.1.2, 11.7.2.0, 11.7.3.0, 12.0.0.0, 12.1.0.0, 12.1.0.1, or 12.1.1.0, you must stage 12.2.0.0 and 12.2.0.1. Log into the NW Server as root and create the following directory:
-
Option 1 (Manual) : Log into the NetWitness Server and create the following directories:
/var/netwitness/tmp/upgrade/12.2.0.0/
/var/netwitness/tmp/upgrade/12.2.0.1/
and then copy the package zip file to the /var/netwitness/tmp/ directory of the NW Server and extract the package files from /var/netwitness/tmp/ to the appropriate directory using the following commands:
unzip netwitness-12.2.0.0.zip -d /var/netwitness/tmp/upgrade/12.2.0.0/
unzip netwitness-12.2.0.1.zip -d /var/netwitness/tmp/upgrade/12.2.0.1/
Make sure you remove the update zip file from the staging directory after it is extracted. - Option 2 (Automated) : Log into the NetWitness Server and create the following directory:
/var/netwitness/tmp/upgrade/
and then copy the NetWitness 12.2.0.0 and 12.2.0.1 package zip files to the /var/netwitness/tmp/ directory on the NetWitness Server.
After this, run the below command to extract, validate, and initialize the 12.2.0.1 zip files:
[root@SA ~]# upgrade-cli-client --init --stage-dir /var/netwitness
/tmp/upgrade --download-path /var/netwitness/tmp/ --version 12.2.0.1
Once the message (INFO) Download and extraction of all the necessary NetWitness zips are completed is displayed in the console of the admin server, only then the initialization process will begin.
-
Note: If you do not receive the message (INFO) Download and extraction of all the necessary NetWitness zips are completed, run the previous command again.
IMPORTANT: After staging 12.2.0.1 (using the Option 2), if the initialization fails, run the command upgrade-cli-client --init --version 12.2.0.1 --stage-dir /var/netwitness/tmp/upgrade. If the initialization succeeds, ignore the first step under Upgrading the NetWitness Server and component hosts and proceed with the further steps 2-4.
- If you are upgrading from 12.2.0.0, you only need to stage 12.2.0.1.
-
Option 1 (Manual) : Log into the NetWitness Server and create the following directory:
/var/netwitness/tmp/upgrade/12.2.0.1/
and then copy the package zip file to the /var/netwitness/tmp/ directory of the NW Server and extract the package files from /var/netwitness/tmp/ to the appropriate directory using the following command:unzip netwitness-12.2.0.1.zip -d /var/netwitness/tmp/upgrade/12.2.0.1
Make sure you remove the update zip file from the staging directory after it is extracted. -
Option 2 (Automated) : Log into the NetWitness Server and create the following directory:
/var/netwitness/tmp/upgrade/
and then copy the NetWitness 12.2.0.1 package zip files to the /var/netwitness/tmp/ directory on the NetWitness Server.
After this, run the below command to extract, validate, and initialize the 12.2.0.1 zip files:
[root@SA ~]# upgrade-cli-client --init --stage-dir /var/netwitness
/tmp/upgrade --download-path /var/netwitness/tmp/ --version 12.2.0.1
Once the message (INFO) Download and extraction of all the necessary NetWitness zips are completed is displayed in the console of the admin server, only then the initialization process will begin.
Note: If you do not receive the message (INFO) Download and extraction of all the necessary NetWitness zips are completed, run the command [root@SA ~]# upgrade-cli-client --init --stage-dir /var/netwitness/tmp/upgrade --download-path /var/netwitness/tmp --version 12.2.0.1 again to stage 12.2.0.1.
IMPORTANT: After staging 12.2.0.1 (using the Option 2), if the initialization fails, run the command upgrade-cli-client --init --version 12.2.0.1 --stage-dir /var/netwitness/tmp/upgrade. If the initialization succeeds, ignore the first step under Upgrading the NetWitness Server and component hosts and proceed with the further steps 2-4.
-
Upgrading the NetWitness Server and component hosts
-
Initialize the upgrade using the following command:
upgrade-cli-client --init --version 12.2.0.1 --stage-dir /var/netwitness/tmp/upgradeIMPORTANT: Once init is performed, do not reboot the NW Admin server or restart jetty.
- Upgrade Netwitness Server using the following command:
upgrade-cli-client --upgrade --version 12.2.0.1 --host-key <ID / display name / (hostname/ IP address)> -
When the component host upgrade is successful, reboot the host from NetWitness UI.
IMPORTANT: This is a mandatory step. Ensure that you reboot the host from the NetWitness UI.
- Change the IP address to the component host being upgraded and repeat the steps 2 and 3 for each component host.
Note: You can check versions of all the hosts, using the command upgrade-cli-client --list on the NetWitness Server. If you want to view the help content of upgrade-cli-client, use the command upgrade-cli-client --help.
Note: If the following error displays during the upgrade process:
2017-11-02 20:13:26.580 ERROR 7994 — [ 127.0.0.1:5671] o.s.a.r.c.CachingConnectionFactory : Channel shutdown: connection error; protocol method: #method<connection.close>(reply-code=320, reply-text=CONNECTION_FORCED - broker forced connection closure with reason 'shutdown', class-id=0, method-id=0)
the patch will install correctly. No action is required. If you encounter additional errors when upgrading a host to a new version, contact Getting Help with NetWitness Platform.
External Repo Instructions for CLI Upgrade
Note: The external repo should have separate directories for 12.2.0.0 and 12.2.0.1, as described in Option 3: Upgrade NetWitness Platform XDR using CLI (Offline).
Note: Make sure you remove the update zip file from the staging directory after it is extracted.
- Stage 12.2.0.1 by creating a directory on the NetWitness Server at /var/netwitness/tmp/upgrade/12.2.0.1 and extract the zip package.
unzip netwitness-12.2.0.1.zip -d /var/netwitness/tmp/upgrade/12.2.0.1 - Initialize the upgrade using the following command:
upgrade-cli-client --init --version 12.2.0.1--stage-dir /var/netwitness/tmp/upgrade - Upgrade Netwitness Server using the following command:
upgrade-cli-client --upgrade --version 12.2.0.1 --host-addr <IP of Netwitness Server> - When the component host upgrade is successful, reboot the host from NetWitness UI.
- Change the IP address to the component host being upgraded and repeat the steps 3 and 4 for each component.
Note: You can check versions of all the hosts, using the command upgrade-cli-client --list on NetWitness Server. If you want to view the help content of upgrade-cli-client, use the command upgrade-cli-client --help.
Note: If the following error displays during the upgrade process:
2017-11-02 20:13:26.580 ERROR 7994 — [ 127.0.0.1:5671] o.s.a.r.c.CachingConnectionFactory : Channel shutdown: connection error; protocol method: #method<connection.close>(reply-code=320, reply-text=CONNECTION_FORCED - broker forced connection closure with reason 'shutdown', class-id=0, method-id=0)
the patch will install correctly. No action is required. If you encounter additional errors when upgrading a host to a new version, contact Getting Help with NetWitness Platform.
Option 4 (Optional): Pre-Stage Upgrade Repository by Downloading Packages
You can pre-stage the upgrade repository by downloading the required packages (.zip) without affecting the system. This minimizes the upgrade downtime and ensures the upgrade is completed within the planned time.
To Pre-Stage the Upgrade Repository
- Go to (Admin) > Hosts.
-
Click Update > Check for Updates from the toolbar.
All possible update versions will be displayed in the Versions drop-down list.
-
Click Update > Pre Stage Host and select the version in the update version column.
A confirmation message for downloading the files is displayed.
-
Click Yes to download the upgrade packages to the repo.
-
Verify the status of the download in the notifications tray as shown below.
The Pre Stage Host and Upgrade Host will be disabled until pre stage is completed.
Note: The current version and the update version in the UI will be the same during the pre stage as it is not the actual update. This is because only the repo files are downloaded and no actual upgrade is done. The version will change only after upgrade.
-
If the download is successful, Check for Updates again to start the initialization.
-
Click Initialize Update.
The initialization of the package will take some time as the files are large and will need to be unzipped.
IMPORTANT: Pre Stage Repo preparation steps from 1 to 4 can be performed at any time. However, from steps 5 to 8 the upgrade process begins and you must NOT reboot the host or restart the jetty server during this time as it will corrupt the .ZIP files.
-
Check the status of initialization in the notifications tray.
-
After the initialization is completed successfully, click Update > Update Host.
After the host is updated, you will be prompted to reboot the host.
-
Set up and reboot the host.
Post-Upgrade Tasks
This topic provides information about the tasks performed after upgrading from 11.6.1.3 or 11.6.1.4 to 12.2.0.1.
Post Upgrade Tasks for Customers Upgrading from versions 11.6.1.3 or 11.6.1.4
Task 1 (Optional) - Move the Custom Certificates
Move the custom certificates from external directory to/etc/pki/nw/trust/import directory.
Task 2 - Enable Decoder Services
After you upgrade to 12.2.0.1, you must enable Capture AutoStart on Network Decoder and Network Hybrid Services.
To enable the Capture Autostart field:
-
Go to (Admin) > Services.
The Administration Services view is displayed.
-
Select a Network Decoder or Network Hybrid service and select > View > Config.
The services Config view for the selected Network Decoder or Network Hybrid is displayed.
- In the Decoder Configuration panel, select the Capture Autostart field and click Apply.
Task 3 (Optional) - Remove Old Plugins and Reinstall Export Connector Plugin
Follow the below procedure only if you have export connector plugin in your deployment and logstash installed separately.
Remove the old plugin
You must remove the old plugin, so the scans do not list them as vulnerabilities.
-
Remove old Export Connector Plugin files. Do the following.
rm -rf /usr/share/logstash/vendor/bundle/jruby/2.5.0/logstash-inputnetwitness_export_connector-1.x.x
rm -rf /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-inputnetwitness_export_connector-1.x.x
Note: 1.x.x can be 1.1.0 or 1.0.0
Install the updated plugin
If you have Logstash installed separately, not as part of the NetWitness installation, you must install the updated Export Connector plugin after 12.2.0.1 patch upgrade. For more information to install the updated plugin, see https://community.netwitness.com/t5/netwitness-platform-online/install-netwitness-logstash-input-plugin/ta-p/669115.
Restart the Log Collector
service nwlogcollector restart
Note: In case you have installed Logstash separately, outside NetWitness installation, the path and version of the plugin will be different. Restarting of the Log Collector service may not be required.