000031910 - How to change the core dump file location for RSA Security Analytics appliances

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000031910
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Decoder, Log Decoder, Concentrator, Hybrid, Broker, All-in-One, Security Analytics Server
Platform: CentOS
O/S Version: EL5, EL6
IssueBy default, Security Analytics core appliances are configured to dump core files to the /var/netwitness/<appliance_type> directory.  At times, this may cause an issue with disk space and could potentially affect a core service from running.  
The core file location may be altered, noting that core files that are too large to dump to the designated area will truncate. 
ResolutionCore dumps by default write to a core appliance's default working directory.  That directory is defined in the configuration file located in the /etc/init directory and defined as <nwapplianceType>.conf.  
This example explains how to change the core dump directory for a Log Decoder, noting the .conf file name in /etc/init.d and the location of the chdir statement will change according to the appliance type with which you are working.  Also ensure the directory you select for the core dump contains enough space to accommodate a core dump of several gigabytes in size.  Never specify the root ( / ) directory as the location.
  1. Backup the existing logdecoder.conf file.
    cd /etc/init.d
    cp logdecoder.conf logdecoder.conf.bak<date>

  2. Edit the log decoder configuration file using vi.
    vi logdecoder.conf

  3. Locate this statement:
    chdir /var/netwitness/logdecoder/metadb

  4. Change the path here to a new directory. (This example uses /var/tmp)
    chdir /var/tmp

  5. In order for the new parameter to take effect, the Log Decoder process must be restarted.
    restart nwlogdecoder

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.