Forum Discussion

Martin Kerr's avatar
Martin Kerr
Copper Contributor
Jan 11, 2018
Solved

ATA Services not starting

Hi,   We have had Microsoft ATA v1.7 running for around a year now, but recently the services have stopped and will not start. I also noticed that an optional update has been installed to upgrade...
  • EliOfek's avatar
    EliOfek
    Jan 15, 2018

    Sorry to say but this confirmed you are a victim of a mongo bug that causes a DB wipe...

    (Fixed for vNext, as we embed a new version of mongo which should have a fix for it)

    Please follow this procedure for Center recovery:

    https://docs.microsoft.com/en-us/advanced-threat-analytics/disaster-recovery

     

    Given that you have a backup of the json file as described in the article, you won't have to reinstall the Gateways, and you can be back up an running in a few minutes.

EliOfek's avatar
EliOfek
Icon for Microsoft rankMicrosoft
Jan 12, 2018

Please run on the center machine from mongo's bin folder:

Mongo.exe ATA --eval "var collectionNames = db.getCollectionNames(), indexes = [];collectionNames.forEach(function (name) {printjson(name);printjson(db[name].getIndexes());print('-------------------------------------');});" > indexes.txt

And paste the output int he text file here.

Martin Kerr's avatar
Martin Kerr
Copper Contributor
Jan 15, 2018

Hi,

 

Thanks for your reply, please see output below:

 

MongoDB shell version v3.4.2
connecting to: mongodb://127.0.0.1:27017/ATA
MongoDB server version: 3.4.2
"DirectoryServicesActivity"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.DirectoryServicesActivity"
	}
]
-------------------------------------
"Dns_20171011061153"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.Dns_20171011061153"
	}
]
-------------------------------------
"GroupMembershipChangeEvent_20171011144300"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.GroupMembershipChangeEvent_20171011144300"
	}
]
-------------------------------------
"KerberosAp_20171011013137"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.KerberosAp_20171011013137"
	}
]
-------------------------------------
"KerberosAs_20160722202708"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.KerberosAs_20160722202708"
	}
]
-------------------------------------
"KerberosTgs_20160722202708"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.KerberosTgs_20160722202708"
	}
]
-------------------------------------
"LsaRpc_20171011072820"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.LsaRpc_20171011072820"
	}
]
-------------------------------------
"MonitoringAlert"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.MonitoringAlert"
	}
]
-------------------------------------
"Notification"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.Notification"
	}
]
-------------------------------------
"NtlmEvent_20160722202706"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.NtlmEvent_20160722202706"
	}
]
-------------------------------------
"Ntlm_20160722202710"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.Ntlm_20160722202710"
	}
]
-------------------------------------
"Samr_20171011052414"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.Samr_20171011052414"
	}
]
-------------------------------------
"ServiceControl_20171011012750"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.ServiceControl_20171011012750"
	}
]
-------------------------------------
"SuspiciousActivity"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.SuspiciousActivity"
	}
]
-------------------------------------
"SuspiciousActivityActivity"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.SuspiciousActivityActivity"
	}
]
-------------------------------------
"SystemProfile"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.SystemProfile"
	}
]
-------------------------------------
"Telemetry"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.Telemetry"
	}
]
-------------------------------------
"UniqueEntity"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.UniqueEntity"
	}
]
-------------------------------------
"UniqueEntityProfile"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.UniqueEntityProfile"
	}
]
-------------------------------------
"UserPhoto"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.UserPhoto"
	}
]
-------------------------------------
"Wmi_20171011061616"
[
	{
		"v" : 2,
		"key" : {
			"_id" : 1
		},
		"name" : "_id_",
		"ns" : "ATA.Wmi_20171011061616"
	}
]
-------------------------------------

Thanks

  • EliOfek's avatar
    EliOfek
    Icon for Microsoft rankMicrosoft
    Jan 15, 2018

    Sorry to say but this confirmed you are a victim of a mongo bug that causes a DB wipe...

    (Fixed for vNext, as we embed a new version of mongo which should have a fix for it)

    Please follow this procedure for Center recovery:

    https://docs.microsoft.com/en-us/advanced-threat-analytics/disaster-recovery

     

    Given that you have a backup of the json file as described in the article, you won't have to reinstall the Gateways, and you can be back up an running in a few minutes.

    • Martyn MacCabe's avatar
      Martyn MacCabe
      Copper Contributor
      Apr 04, 2018

      Hi,

       

      Looks like I might have the same issue.  What specifically in the output did you see that confirmed the bug?

       

      Thanks

      Martyn

      • EliOfek's avatar
        EliOfek
        Icon for Microsoft rankMicrosoft
        Apr 04, 2018

        All the collections have an index only for the id field and nothing else. most collections should have more indexes.