Kafka Cluster Reset -- SIEM Log issue

Kafka Cluster Reset -- SIEM Log issue

Part 1: Shutting down the cluster

  1. Identify all machines in the deployment with any of the following services:
  2.  
    1. Message Broker Handler (installed with the Policy Broker)
    2. Event Message Broker (installed with the Policy Server)
    3. Bridge Service (installed with the Policy Server)
    4. Sync Service
    5. SIEM Connector (installed with the Policy Server)
    6. Cloud App Service (installed with the Log Server)

 

  1. Determine the cluster structure from the Policy Broker priority list on the Settings > General > Policy Server page of the Manager. All components installed under Policy Servers with the same top-priority Policy Broker (the first Broker in the list) will form a cluster.

 

  1. Identify all machines with components in the cluster being reset. Confirm that all necessary ports are open and services are communicating correctly:
    1. Verify that the Message Broker Handler can communicate with all Event Message Brokers in the cluster on port 55995.
    2. Verify that each Event Message Broker can communicate with all other Event Message Brokers in the cluster via port 55991.
    3. Verify that all other components in the list can communicate with all Event Message Brokers in the cluster on port 55991.
    4. See the attached pdf, emb_cluster_ports.pdf, for additional ports to verify.
  1. Stop all the services below on machines that are part of the cluster that is being reset.
    1. Message Broker Handler (installed with the Policy Broker)
    2. Event Message Broker (installed with the Policy Server)
    3. Bridge Service (installed with the Policy Server)
    4. Sync Service
    5. SIEM Connector (installed with the Policy Server)
    6. Cloud App Service (installed with the Log Server)
On the machine in the Message Broker Handler (there is only one), delete the contents of the …\Web Security\zookeeper\logDir directory.
On all machines with Event Message Brokers, delete the contents of the …\Web Security\kafka\kafka-logs_# or …/Websense/kafka/kafka-logs_# directory.

Part 2: Clearing the configuration

  1. On the machine in the cluster with the Message Broker Handler (there is only one), delete the contents of the …\Web Security\zookeeper\logDir directory.
  2. On all machines with Event Message Brokers, delete the contents of the …\Web Security\kafka\kafka-logs_# or …/Websense/kafka/kafka-logs_# directory.
  3. If all clusters for the whole deployment need resetting, perform Part 1, step 4, and Part 2, steps 1, and 2 above  on all clusters.
  4. Backup the Policy Database (PgSetup --save policy.wsdb)
  5. Delete the MsgService settings from the Policy DB by executing the following query:

DELETE FROM "WSE_Setting" WHERE "Name" LIKE '/MsgService%'
For example, open a Windows cmd prompt (as an Administrator) and navigate to: \Web Security\bin\postgres\bin directory, then use this command:
psql -U postgres -p 6432 -d wspolicy -c "DELETE FROM \"WSE_Setting\" WHERE \"Name\" LIKE '/MsgService%'"
Part 3: Restarting the cluster

  1. Turn on the Message Broker Handler of the cluster and wait about two minutes.
  2. One at a time, turn on all Event Message Brokers in the cluster, waiting about a minute between each startup.
  3. Wait 10 to 15 minutes for the Event Message Brokers to register, settle, and initialize the topic. If any need to be started again, wait at least five minutes before moving to the next step.
  4. Turn on the remaining services one at a time, waiting about a minute between each startup