.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Issue
UEBA host installed on an old Admin Server host needs to be migrated to the new Admin Server without losing any data.Resolution
Please follow the below steps to move the UEBA host from the old Admin Server to the new Admin Server
Note: These procedures ensure that all user data, including entities and alerts, is retained after migrating to the new Admin Server
From the old or existing Admin Server:
- Log in to the NetWitness Platform.
- Go to
(Admin) > Hosts. - Select the UEBA host and click
> Remove Host. - SSH to the UEBA server.
- Get the UUID of the UEBA host by running the following command:
# cat /etc/salt/minion
- SSH to the Admin server and run the following command to remove the salt-key entry.
# orchestration-cli-client --remove-key <UEBA UUID displayed from the previous step>
Example:
# orchestration-cli-client --remove-key 1ccdcd88-3815-40f0-8fa1-6476b4a4c2f7
Example:
# orchestration-cli-client --remove-key 1ccdcd88-3815-40f0-8fa1-6476b4a4c2f7
- Run the following command on the Admin server to remove the RabbitMQ federations for the host.
#rabbitmqctl -q clear_parameter -p /rsa/system federation-upstream carlos-upstream-<UEBA UUID displayed previously>
Example:
# rabbitmqctl -q clear_parameter -p /rsa/system federation-upstream carlos-upstream-1ccdcd88-3815-40f0-8fa1-6476b4a4c2f7
Example:
# rabbitmqctl -q clear_parameter -p /rsa/system federation-upstream carlos-upstream-1ccdcd88-3815-40f0-8fa1-6476b4a4c2f7
From the UEBA server:
- SSH to the UEBA server.
- Stop the following services:
- presidio-ui
- presidio-manager
- presidio-output
- presidio-configserver
- airflow-webserver
- airflow-scheduler
- mongod
- rsa-nw-node-infra-server
- rabbitmq-server
Run the following commands:
# systemctl stop presidio-manager presidio-output presidio-configserver airflow-webserver airflow-scheduler presidio-ui
# systemctl stop mongod rsa-nw-node-infra-server rabbitmq-server
# systemctl stop mongod rsa-nw-node-infra-server rabbitmq-server
- Move the following files to the /tmp directory by running the following commands:
# mv /etc/salt/pki/minion/minion_master.pub /tmp
# mv /etc/netwitness/platform /tmp
# mv /etc/netwitness/security-cli /tmp
# mv /etc/netwitness/security-client /tmp
# mv /etc/netwitness/presidio /tmp
# mv /etc/netwitness/node-infra-server /tmp
# mv /etc/pki/nw /tmp
# mv /etc/netwitness/platform /tmp
# mv /etc/netwitness/security-cli /tmp
# mv /etc/netwitness/security-client /tmp
# mv /etc/netwitness/presidio /tmp
# mv /etc/netwitness/node-infra-server /tmp
# mv /etc/pki/nw /tmp
- Create a directory named mongo on /etc/netwitness/platform location using the following command:
# mkdir -p /etc/netwitness/platform/mongo
- Create blank mongo.registered file by running the following command:
# touch /etc/netwitness/platform/mongo/mongo.registered
- Move the following files to the /tmp directory by running the following commands:
# mv /etc/systemd/system/rsa-nw-node-infra-server.service.d /tmp
# mv /etc/systemd/system/elasticsearch.service.d /tmp
# mv /etc/systemd/system/postgresql.service.d /tmp
# mv /etc/systemd/system/elasticsearch.service.d /tmp
# mv /etc/systemd/system/postgresql.service.d /tmp
- Run the following command to refresh the unit files:
# systemctl daemon-reload
- Remove the security and orchestration cli package using the following command:
# yum remove -y rsa-nw-security-cli rsa-nw-orchestration-cli
- Run the nwsetup-tui command on the UEBA host.
- (Optional) Once the nwsetup-tui process has been completed successfully, you may need to update /etc/hosts on the UEBA device to include the IP and hostnames of the Admin server. If you notice that the entry is missing, you must add in UEBA.
- SSH to the UEBA server.
- Add the following line in /etc/hosts:
<Admin Server IP> nw-node-zero <Admin Server uuid> <Admin Server uuid>.netwitness nw-node-zero.netwitness
Example:
10.11.12.10 nw-node-zero 1ccdcd88-3815-40f0-8fa1-6476b4a4c2f7 1ccdcd88-3815-40f0-8fa1-6476b4a4c2f7.netwitness nw-node-zero.netwitness
Example:
10.11.12.10 nw-node-zero 1ccdcd88-3815-40f0-8fa1-6476b4a4c2f7 1ccdcd88-3815-40f0-8fa1-6476b4a4c2f7.netwitness nw-node-zero.netwitness
Note: To get the AdminServer UUID, run the following command on the Admin server.
# cat /etc/salt/minion
- Additionally, you need to restart salt-minion by running the following command in UEBA server:
# systemctl restart salt-minion
From the new Admin Server UI:
- Discover the migrated UEBA host in the NetWitness Platform UI.
- Select the UEBA host and install the UEBA service from the Category drop-down menu.
- Go to Users > Entities or Alerts page and verify if all the information is displayed correctly.
Product Details
RSA Product Set: NetWitness PlatformRSA Product/Service Type: Admin Server and UEBA Server
RSA Version/Condition: 11.x and 12.x
Platform: CentOS
Approval Reviewer Queue
Technical approval queue