cancel
Showing results for 
Search instead for 
Did you mean: 

SIEM Event Receiver in HA Pair: How to Shutdown

Jump to solution

Can anyone help please? What is the correct procedure for shutting down a pair of Event Receivers in HA configuration? There is no 'Shutdown' button on the GUI, unlike ESM.

1 Solution

Accepted Solutions

Re: SIEM Event Receiver in HA Pair: How to Shutdown

Jump to solution

There is option to stop the receiver from the interface, then via ssh you can shut it down.

The actual stop will wait for all pending operation on the receiver level to complete which will ensure there is no corruption.

Actually are you doing this for some kind of maintenance?

8 Replies

Re: SIEM Event Receiver in HA Pair: How to Shutdown

Jump to solution

There is option to stop the receiver from the interface, then via ssh you can shut it down.

The actual stop will wait for all pending operation on the receiver level to complete which will ensure there is no corruption.

Actually are you doing this for some kind of maintenance?

Re: SIEM Event Receiver in HA Pair: How to Shutdown

Jump to solution

Thanks Alexander.

Annual site shutdown for electrical safety checks.

So, when the 'Stop' operation is complete, I ssh onto the box and use the Linux 'shutdown' command?

Should I shut down the secondary first?

Phil

Highlighted

Re: SIEM Event Receiver in HA Pair: How to Shutdown

Jump to solution

Yep that's all correct

In case the services don't come up automatically after you turn on the devices just type via ssh : NitroStart

Re: SIEM Event Receiver in HA Pair: How to Shutdown

Jump to solution

Thank you very much for your help, alexander_h.

rcavey
Level 9
Report Inappropriate Content
Message 6 of 9

Re: SIEM Event Receiver in HA Pair: How to Shutdown

Jump to solution

So, just to add alexander_h  ..... we have gone back and forth internally a while back on this topic.

Here is what we do:

- Establish ssh sessions on both receivers in the HA pair

- secondary: NitroStop

- wait for the prompt

- prime: NitroStop

- wait for prompt

- secondary: init 0

- prime: init 0

When it comes to powering back up..... power up the Primary wait 30+ seconds then power up the Secondary.  If you don't care if the secondary might beat the primary starting up and take the lead role, just power them up at the same time.

I would also recommend that you log in after the receivers are back up and run ha_status to make sure all is good. We still have HA receiver pairs show OK in the ESM but looking at ha_status output we see both are in secondary mode = bad.

Cheers,

  -B

dcobes
Level 9
Report Inappropriate Content
Message 7 of 9

Re: SIEM Event Receiver in HA Pair: How to Shutdown

Jump to solution

Just wanted to note, the best way to perform NitroStop/NitroStart is to append "--nod" to the end which tells the script to only return a prompt when the stop is finished. To verify the status of the Stop/Start perform a "NitroStarted" which will report the status.

From personal experience we have had nothing but headaches with HA receiver pairs. I'm going to separate all the pairs and run them individually.

just my 2 cents

-d

Re: SIEM Event Receiver in HA Pair: How to Shutdown

Jump to solution

I need to perform a migration of 2 receiver in HA.

If I stop services with Nitrostop --nod, do I lose communication with the receiver?

After stopping services with Nitrostop --nod, is it necessary to run the poweroff command?

I need to turn off the secondary receiver, then the primary receiver, migrate the devices to the new location and then turn it on.

Can you tell me what is the correct procedure to carry out this activity?

Reliable Contributor akerr
Reliable Contributor
Report Inappropriate Content
Message 9 of 9

Re: SIEM Event Receiver in HA Pair: How to Shutdown

Jump to solution

Nitrostop just stops the SIEM type services.  The actual Linux OS is still running an functional.

 

Given that the Nitro services are part of init, you don't even have to stop them before doing a shutdown.  If we're powering off a receiver (HA or not), we generally just do:  shutdown -h now

 

If you watch in /var/log/messags, you'll see it does a safe stop of the SIEM services on the device.   I would generally stop the secondary first, then the primary in an HA pair.  If you care about the order, as a previous poster mentioned, start the primary first, then start up the secondary.  If it doesn't matter which is the primary, you can start them up at the same time.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator