ATA Services not starting

Hi, We have had Microsoft ATA v1.7 running for around a year now, but recently the services have stopped and will not start. I also noticed that an optional update has been installed to upgrade...

EliOfek
Jan 15, 2018
Sorry to say but this confirmed you are a victim of a mongo bug that causes a DB wipe...

(Fixed for vNext, as we embed a new version of mongo which should have a fix for it)

Please follow this procedure for Center recovery:

https://docs.microsoft.com/en-us/advanced-threat-analytics/disaster-recovery

Given that you have a backup of the json file as described in the article, you won't have to reinstall the Gateways, and you can be back up an running in a few minutes.

EliOfek

Microsoft

Jan 12, 2018

Please run on the center machine from mongo's bin folder:

Mongo.exe ATA --eval "var collectionNames = db.getCollectionNames(), indexes = [];collectionNames.forEach(function (name) {printjson(name);printjson(db[name].getIndexes());print('-------------------------------------');});" > indexes.txt

And paste the output int he text file here.

Martin Kerr

Copper Contributor

Jan 15, 2018

Hi,

Thanks for your reply, please see output below:

MongoDB shell version v3.4.2
connecting to: mongodb://127.0.0.1:27017/ATA
MongoDB server version: 3.4.2
"DirectoryServicesActivity"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.DirectoryServicesActivity"
	}
]
-------------------------------------
"Dns_20171011061153"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.Dns_20171011061153"
	}
]
-------------------------------------
"GroupMembershipChangeEvent_20171011144300"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.GroupMembershipChangeEvent_20171011144300"
	}
]
-------------------------------------
"KerberosAp_20171011013137"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.KerberosAp_20171011013137"
	}
]
-------------------------------------
"KerberosAs_20160722202708"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.KerberosAs_20160722202708"
	}
]
-------------------------------------
"KerberosTgs_20160722202708"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.KerberosTgs_20160722202708"
	}
]
-------------------------------------
"LsaRpc_20171011072820"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.LsaRpc_20171011072820"
	}
]
-------------------------------------
"MonitoringAlert"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.MonitoringAlert"
	}
]
-------------------------------------
"Notification"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.Notification"
	}
]
-------------------------------------
"NtlmEvent_20160722202706"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.NtlmEvent_20160722202706"
	}
]
-------------------------------------
"Ntlm_20160722202710"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.Ntlm_20160722202710"
	}
]
-------------------------------------
"Samr_20171011052414"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.Samr_20171011052414"
	}
]
-------------------------------------
"ServiceControl_20171011012750"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.ServiceControl_20171011012750"
	}
]
-------------------------------------
"SuspiciousActivity"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.SuspiciousActivity"
	}
]
-------------------------------------
"SuspiciousActivityActivity"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.SuspiciousActivityActivity"
	}
]
-------------------------------------
"SystemProfile"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.SystemProfile"
	}
]
-------------------------------------
"Telemetry"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.Telemetry"
	}
]
-------------------------------------
"UniqueEntity"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.UniqueEntity"
	}
]
-------------------------------------
"UniqueEntityProfile"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.UniqueEntityProfile"
	}
]
-------------------------------------
"UserPhoto"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.UserPhoto"
	}
]
-------------------------------------
"Wmi_20171011061616"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.Wmi_20171011061616"
	}
]
-------------------------------------

Thanks

EliOfek
Microsoft
Jan 15, 2018
Sorry to say but this confirmed you are a victim of a mongo bug that causes a DB wipe...

(Fixed for vNext, as we embed a new version of mongo which should have a fix for it)

Please follow this procedure for Center recovery:

https://docs.microsoft.com/en-us/advanced-threat-analytics/disaster-recovery

Given that you have a backup of the json file as described in the article, you won't have to reinstall the Gateways, and you can be back up an running in a few minutes.
- Martyn MacCabe
  Copper Contributor
  Apr 04, 2018
  Hi,
  
  Looks like I might have the same issue. What specifically in the output did you see that confirmed the bug?
  
  Thanks
  
  Martyn
  - EliOfek
    Microsoft
    Apr 04, 2018
    All the collections have an index only for the id field and nothing else. most collections should have more indexes.

Forum Discussion

ATA Services not starting

Resources