Skip to content
  • There are no suggestions because the search field is empty.

How to completely remove a host from NetWitness 11.x and above

Issue

Looking for how to completely remove a host that is no longer being used by NetWitness.


Resolution

Please follow these steps to remove the unwanted host:
 

  1. Remove the host from the UI using the steps mentioned in Knowledge Base Article Hosts View (By clicking on the delete button and confirming removal).
     

  2. SSH to the host that you want to remove (Broker, Concentrator, Decoder, Archiver, ESA, etc.).
     

  3. Run the command and copy the ID that is displayed.
    # cat /etc/salt/minion

  4. SSH into the Admin server and run the following command to remove the salt-key entry.
    # orchestration-cli-client --remove-key
    Ex) orchestration-cli-client --remove-key 1d8aa9ec-8471-439d-87d9-9c645a0b3337
     

  5. Run the following command on the Admin server to remove the RabbitMQ federations for the host.
    # rabbitmqctl -q clear_parameter -p /rsa/system federation-upstream carlos-upstream-
    Ex) rabbitmqctl -q clear_parameter -p /rsa/system federation-upstream carlos-upstream-1d8aa9ec-8471-439d-87d9-9c645a0b3337


Notes

It is Best Practice to remove hosts completely from the Admin server when decommissioning hosts. Leaving these hosts in the Admin server databases may lead to problems with Salt and RabbitMQ. These old hosts can cause issues with the upgrade precheck script and when running the cert-reissue command. It is recommended to perform these steps to keep the databases clean and running effectively.


Product Details

RSA Product Set: NetWitness Log and Network
RSA Product/Service Type: Administration
RSA Version/Condition:11.x , 12.x

Approval Reviewer Queue

Technical approval queue