Skip to content
  • There are no suggestions because the search field is empty.

How to manually re-add a host that has been removed from the RSA NetWitness GUI Hosts page

Issue

After removing a Host from the Host page in the UI it won't discover again.


Resolution

On your Component Host (Packet Decoder, Concentrator, Malware Analysis, etc.), run the following command from an SSH window to retrieve the host_id.
# cat /etc/salt/minion
Sample output...
# cat /etc/salt/minion
master: 192.168.2.101
hash_type: sha256
log_level: info
id: 44f0b8ad-55cb-440f-8e42-95caa049b4a1


On the NW Admin Server, verify that the component host_id is in the list.
Run the following command from an SSH window on the NW Admin Server
# orchestration-cli-client -k
[root@nwadmin1 ~]# orchestration-cli-client -k
2018-10-11 03:34:00.387  INFO 11265 --- [           main] Bootstrap                                : Service logs will be written to /var/log/netwitness/orchestration-client
2018-10-11 03:34:00.396  INFO 11265 --- [           main] Bootstrap                                : Service configuration will be read from /etc/netwitness/orchestration-client
2018-10-11 03:34:00.630  INFO 11265 --- [           main] Bootstrap                                : Starting orchestration-client.9c202413-65a5-43f6-8eed-641d48ed078c (v0.0.0.0)
2018-10-11 03:34:01.214  INFO 11265 --- [           main] Bootstrap                                : Initialized service cryptography with 4 providers (BSAFE=CRYPTOJ 6.2.2 20161215 0745, FIPS-140=true).
2018-10-11 03:34:02.376  INFO 11265 --- [           main] c.r.n.i.o.c.OrchestrationApplication     : Starting OrchestrationApplication on nwadmin1 with PID 11265 (/usr/bin/orchestration-cli-client.jar started by root in /root)
2018-10-11 03:34:02.376  INFO 11265 --- [           main] c.r.n.i.o.c.OrchestrationApplication     : The following profiles are active: standard
2018-10-11 03:34:02.602  INFO 11265 --- [           main] Bootstrap                                : Service will accept AMQP requests at broker localhost:5672/rsa/system
2018-10-11 03:34:02.626  INFO 11265 --- [           main] Bootstrap                                : Service will use the deployment security-server
2018-10-11 03:34:04.656  INFO 11265 --- [shake Completed] Security                                 : Accepted new connection with CN=ba847be4-afca-4df4-beca-e6df7ac3a228,OU=NetWitness Platform,O=RSA,L=Reston,ST=VA,C=US from 127.0.0.1 using TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
2018-10-11 03:34:05.878  INFO 11265 --- [           main] c.r.n.i.o.c.OrchestrationApplication     : Key: ID=a3f9d06f-4f67-4721-9e74-1f127e24e4ad, STATUS=Provisioned
2018-10-11 03:34:05.880  INFO 11265 --- [           main] c.r.n.i.o.c.OrchestrationApplication     : Key: ID=992dcb26-39c2-4c29-b9c9-7f5e98f3c542, STATUS=Provisioned
2018-10-11 03:34:05.881  INFO 11265 --- [           main] c.r.n.i.o.c.OrchestrationApplication     : Key: ID=f8b8c231-3a04-482a-b4ed-5abe4a242441, STATUS=Provisioned
2018-10-11 03:34:05.881  INFO 11265 --- [           main] c.r.n.i.o.c.OrchestrationApplication     : Key: ID=d4d00352-39e1-4462-9ecd-80c028c28df1, STATUS=Provisioned
2018-10-11 03:34:05.881  INFO 11265 --- [           main] c.r.n.i.o.c.OrchestrationApplication     : Key: ID=c49396f5-9332-447f-ae72-c920cf4bd6f6, STATUS=Provisioned
2018-10-11 03:34:05.882  INFO 11265 --- [           main] c.r.n.i.o.c.OrchestrationApplication     : Key: ID=fdd0857a-e022-439d-b148-05d4cb1f503a, STATUS=Provisioned
2018-10-11 03:34:05.882  INFO 11265 --- [           main] c.r.n.i.o.c.OrchestrationApplication     : Key: ID=73482e91-7ace-44aa-85aa-bb32fe6fe61b, STATUS=Provisioned
2018-10-11 03:34:05.883  INFO 11265 --- [           main] c.r.n.i.o.c.OrchestrationApplication     : Key: ID=ba847be4-afca-4df4-beca-e6df7ac3a228, STATUS=Provisioned
2018-10-11 03:34:05.883  INFO 11265 --- [           main] c.r.n.i.o.c.OrchestrationApplication     : Key: ID=44f0b8ad-55cb-440f-8e42-95caa049b4a1, STATUS=Provisioned
2018-10-11 03:34:05.914  INFO 11265 --- [           main] SystemOperation                          : Update current versions on disk {com.rsa.asoc.compass.orchestration-api=3.3.0}
2018-10-11 03:34:05.917  INFO 11265 --- [           main] c.r.n.i.o.c.OrchestrationApplication     : Started OrchestrationApplication in 6.788 seconds (JVM running for 7.592)
2018-10-11 03:34:06.388  INFO 11265 --- [           main] c.r.n.i.o.c.OrchestrationApplication     : Tasks completed successfully...
[2018-10-11T03:34:06+00:00] <11262> (INFO) Request completed successfully.


On the NW Admin Server, delete the host_id for the client host node.
# orchestration-cli-client --remove-key 44f0b8ad-55cb-440f-8e42-95caa049b4a1

On the client Host appliance re-run the nwsetup-tui command...
# nwsetup-tui
... answer the questions
nwsetup-tui Step 1
nwsetup-tui
nwsetup-tui Step 2
nwsetup-tui
nwsetup-tui Step 3
nwsetup-tui
nwsetup-tui Step 4
nwsetup-tui
nwsetup-tui Step 5
nwsetup-tui
nwsetup-tui Step 6
nwsetup-tui
nwsetup-tui Step 7 (note, choose "Yes" instead of "No" at this step, which is highlighted in Yellow)
nwsetup-tui
nwsetup-tui Step 8
nwsetup-tui
nwsetup-tui Step 9
nwsetup-tui
nwsetup-tui Step 10
nwsetup-tui
nwsetup-tui Step 11
nwsetup-tui
nwsetup-tui Step 12
nwsetup-tui
nwsetup-tui Step 13
nwsetup-tui



... once nwsetup-tui finishes go to the UI and discover the Host again
... once host is discovered click the "Install" button to select the node type (i.e. Packet Decoder, LogDecoder, etc...)
EX:
install

Product Details

RSA Product Set: NetWitness Logs and Network
RSA Version/Condition: 11.0, 11.1,11.2

Summary

After removing a Host from the NetWitness Host page, it doesn't rediscover when clicking the Discover button.


Approval Reviewer Queue

RSA NetWitness Suite Approval Queue