Skip to content
  • There are no suggestions because the search field is empty.

How to access RSA NetWitness Platform data after changing the appliance's hostname

Issue

How to access NetWitness data after changing the appliance's hostname.
How do I get my data after changing the hostname of my NetWitness appliance?

Resolution

A Decoder is known to its downstream Concentrators by its hostname.   If a Decoder's hostname is changed, the Decoder will appear to its Concentrator(s) to be a new Decoder.  Aggregation from the Decoder will thus be reset and cause all meta on the Decoder to be re-consumed. Due to this, any attempt to access packet data stored on the Decoder from Concentrator sessions that refer to the old Decoder ID (technically known as language key 'did' to the Concentrator) will fail, however, the old meta will still be accessible from the Concentrator.

In RSA NetWitness, the parameter /sys/config/service.name.override was introduced so that one can change a Decoder's hostname, while allowing the packet data stored on the Decoder to remain accessible. This can be achieved as follows:

  1. Log in to the SA or NW UI.
  2. Open the Config page of the concentrator and stop the aggregation.
  3. Open the Explore of the decoder and enter the <OLD decoder hostname> in /sys/config/service.name.override field;
  4. Stop capture and restart the Decoder service.
  5. From the Concentrator service, start the aggregation of the Decoder back.

Rather than the appliance's OS hostname, the Decoder will now use the value stored in /sys/config/service.name.override to identify itself to the Concentrator, therefore the Concentrator will still be able to access the Decoder's packet data.  Any new meta aggregated from the Decoder will also use the service.name.override setting for 'did' meta.


Notes

The above steps can also be used to change a Concentrator or Broker's hostname to identify the proper ConcentratorID (cid) so aggregation from upsteam brokers will be preserved.

To change the hostname in Security Analytics 10.6.x, please follow Sys Maintenance: Change IP Address or Hostname of a Host.
Please note that changing the hostname in NetWitness 11.x is not officially supported at present but one may follow the suggested method in RSA Community. Once again, this is not officially supported by RSA.

Product Details

RSA Product Set: Security Analytics, NetWitness Logs & Network
RSA Product/Service Type: Security Analytics Server, NetWitness Admin Server
RSA Version/Condition: 10.x, 11.x
Platform: CentOS
O/S Version: EL6, EL7

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue