|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: Decoder, Log Decoder, Concentrator, Broker, Hybrid, All-in-One
RSA Version/Condition: 10.3.x, 10.4.x
|Issue||When a core appliance process (i.e. nwdecoder, nwconcentrator, etc.) crashes, a core dump file is generated containing the process's memory at the time of termination.|
It is important to identify when these files are present as they generally take up a large amount of disk space which can result in issues with the functionality of the appliance.
Core dump files can also be useful in performing a root cause analysis to determine what caused the process to crash.
|Resolution||Attached to this article is a core file detection script entitled nwcorecount.sh, which is intended to be used as an hourly or daily cron job on Security Analytics core appliances.|
When executed, the script will scan the /var/netwitness subdirectories in order to locate any core dump files that are present.
If such files are found, an entry will be logged in the /var/log/messages file stating how many files were found and directing the user to the /var/log/nwcorecount.log file where additional information is located.
Below is sample output from a Packet Decoder appliance on which the script was executed.
[root@PDecoder ~]# ./nwcorecount.sh
To utilize the script, simply transfer it as the root user to either the /etc/cron.hourly or /etc/cron.daily directory on a core appliance and--from the directory in which the script was placed--issue the command chmod +x nwcorecount.sh to mark it as an executable.