000014041 - The Reporting Engine has stopped working in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014041
Applies ToRSA Security Analytics
IssueThe Reporting Engine has stopped working in RSA Security Analytics.
df -h /home/rsasoc/ shows 100% utilized.
Error in Logs: /home/rsasoc/rsa/soc/reporting-engine/logs/reporting-engine.log_index/_0.tis (No space left on device).
CauseIf you are using large reports, ?resultstore? and ?formattedReports? directories (/home/rsasoc/rsa/soc/reporting-engine) may fill up causing the RE to stop. If the reports are too large, then 100 days of results may not fit into the allocated disk space for RE (roughly 100G is the limit for Reporting Engine).
Resolution

The best long term strategy would be to mount an external SAN/NAS and move the Reporting home dir to the mount. The directories that tend to fill up disk space are resultstore and formattedReports. It is recommended to move only these two directories to the SAN/NAS and replace their original locations with softlinks pointing to their new locations. Leave the remaining directories in the local disk itself since they require reliable and high i/o performance.


 


You can also control the no. of days the results are stored in the RE database. In the reporting engine configuration page (RE>view>config) you should be able to see the config labelled "Retain history for #days". The files are deleted from resultstore and formatted results directory based on this value.


 


How to add Additional Space


Perform the following to move the Reporting Engine's disk space to external storage assuming that the Reporting Engine home directory is located at /home/rsasoc/rsa/soc/reporting-engine/ and the external storage is mounted under /externalStorage/.


 


1.Stop Reporting Engine service as a root user.


stop rsasoc_re


 


2.Switch to rsasoc user.


su rsasoc


 


3.Change to RE home directory.


cd /home/rsasoc/rsa/soc/reporting-engine/


 


4.Move the resultstore directory to a mounted external storage. Type the following command and press ENTER:


mv resultstore /externalStorage?


 


5.Move the formattedReports directory to a mounted external storage. Type the following command and press ENTER:


mv formattedReports /externalStorage


 


6.Create a softlink for resultstore. Type the following command and press ENTER:?


ln -s /externalStorage/resultstore /home/rsasoc/rsa/soc/reporting-engine/resultstore


 


7.Create a softlink for formattedReports. Type the following command and press ENTER:


ln -s /externalStorage/formattedReports /home/rsasoc/rsa/soc/reporting-engine/formattedReports


 


8.Exit the rsasoc user.


exit


 


9.Start Reporting Engine service as a root user.


start rsasoc_re

NotesIn 10.3.0 there is a known issue which cause the /home/rsasoc/rsa/soc/reporting-engine/archives directory to fill up and not roll over. This has been identified as a bug in the archive script and resolved in 10.3 SP1 and later. The archives directory is basically used to hold periodic backup (occurs every 8 hours) of RE database.
Legacy Article IDa64987

Attachments

    Outcomes