.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
NetWitness - How to move disks from an old appliance to new or RMAed appliance without losing data
Issue
How to move disks from an old NetWitness appliance to new or RMAed appliance without losing data.To replace new disks in the new/RMAed appliance with the disks in the original appliance without losing the data.
The new appliance will have all existing data and be back in the operating status with a minimal downtime.
Resolution
To move disks from an old appliance to a new or RMAed appliance without losing data, follow the instructions below.
1. Power on the new appliances without making any changes to confirm it
boots up successfully. Once confirmed, turn it off.
2. Back up the following files from the old appliance to an external storage.
/etc/sysconfig/network
/etc/hosts
/etc/resolv.conf
/etc/ntp.conf
/etc/fstab
/etc/netwitness/ng/(NwDecoder.cfg, NwConcentrator.cfg, NwLogdecoder.cfg, NwArchiver.cfg)
/etc/netwitness/ng/NwAppliance.cfg
/etc/netwitness/ng/(index-decoder.xml, index-concentrator.xml, index-archiver.xml)
/etc/netwitness/ng/index-decoder-custom.xml,index-concentrator-custom.xml, index-archiver-custom.xml, (if exists)
/etc/passwd, /etc/shadow* and /etc/group* (Optional. only if you have created an OS account other than "root")
In addition, it is highly recommended to backup the appliance configuration and store the backup externally.
Follow the steps in the Recovery Tool User Guide to backup the configuration.
3. Shut down the old appliance and the attached DAC(s)/PowerVault(s) if any.
4. Move all disks from the old appliances to the new appliances ensuring they are inserted to the same slots.
5. Attach DAC(s)/PowerVault(s) to the new appliance and power both the appliance and DAC(s)/PowerVault(s) on.
6. When a foreign configuration is detected, select the option to import it.
7. Once boot into the OS, replace the 6 files backed up in step 2 to the same location and then run the following commands.
IMPORTANT: For /etc/fstab, only replace the entries with /var/netwitness,
For example, vi /etc/fstab, the following entries need to be replaced.
/dev/index/index /var/netwitness/concentrator/index xfs noatime,nosuid 1 2
/dev/concentrator/sessiondb /var/netwitness/concentrator/sessiondb xfs noatime,nosuid 1 2
/dev/concentrator/metadb /var/netwitness/concentrator/metadb xfs noatime,nosuid 1 2
8. Run the following commands:
systemctl restart ntpd
9. Run the below command to confirm the following folders exist:
drwxr-xr-x. 44 root root 4096 May 1 07:43 index
drwxr-x---. 3 netwitness netwitness 8192 Apr 26 10:03 metadb
drwxr-xr-x. 2 root root 8192 Apr 26 10:03 packetdb
drwxr-xr-x. 2 root root 4096 Apr 26 10:03 sessiondb
where service name could be: logdecoder,decoder,concentrator,archiver
If these folders do not exist, create them manually using "mkdir" command.
10.Run the following command to mount all available partitions.
11. Confirm if the old data is still available by running following commands:
OR
ls -l /var/netwitness/<service name>/<database>/
where service name is any of the following: logdecoder,decoder,concentrator,archiver
and database is any of the following: index, packetdb, metadb, sessiondb
12. Run the following command to restart the NW services (If fail to start any services, reboot the appliance):
13. Monitor /var/log/messages, and NetWitness Web UI to confirm the core service became online.
Product Details
NetWitness Product Set: NetWitness Logs & NetworkNetWitness Product/Service Type: Netwitness S6, S5 and S4 Appliances, NetWitness Core Components
INTERNAL ONLY !!!
Approval Reviewer Queue
Technical approval queue