000031347 - Script to assist with Troubleshoot Query Performance Issues in RSA Security Analytics 10.5

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 6Show Document
  • View in full screen mode

Article Content

Article Number000031347
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Security Analytics UI
RSA Version/Condition: 10.5
Platform: CentOS
IssueThe following script can be used to troubleshoot slow performance issues. It will record the following information at regular 5 minute intervals:
  • The processes running on the system
  • The network connections on the system
  • What queries are running on the system
  • The disk statistics so you can see if disk i/o is the reason for slow queries
1. Copy the attached script to a location of your choice eg /root or a concentrator or broker
2. Make sure the script has executable permissions
3. The script can be run with ./stats.sh
4. It will output the results into a file called /tmp/stats.log
5. Add the following entry in /etc/crontab for the script to run every 5 minutes. Then run service crond restart to restart the cron daemon.

*/5 * * * * root /root/stats.sh

6. Add the following text to a file in /etc/logrotate.d/stats to ensure that the logs do not fill up the system

/tmp/stats.log {
  minsize 1M
  rotate 3
NotesThe script contains the following lines:
date >>/tmp/stats.log
ls -l /dev/mapper >> /tmp/stats.log
iostat -m -x -d -N >>/tmp/stats.log
top -b -H -n 1 >>/tmp/stats.log
netstat -anp >>/tmp/stats.log
NwConsole -c login localhost:50005 admin netwitness -c cd sdk -c ls depth=10>>/tmp/stats.log

The script should be copied to a concentrator or broker. For a broker, the port on the last line will need to be changed to 50003 or the relevant port on your broker.
If on examining the output of the script you see the following "invalid username or password message" then make sure that you replace admin netwitness in the above script, with an account that is able to login to the concentrator or broker service. If your password contains special characters, then surround it with " "
RSA Security Analytics Console
Copyright 2001-2016, RSA Security Inc.  All Rights Reserved.
>login localhost:50005 admin netwitness
Invalid username or password
>cd sdk
Unknown console command (Use ? for commands)
>ls depth=10
Unknown console command (Use ? for commands)
(F) 2016-Sep-29 14:29:00 [ChannelManager::messageHandler]  Socket Error: Operation canceled