000030086 - The /var/log partition becomes full on an RSA Security Analytics Log Collector due to rabbitmq log files not rotating

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000030086
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Core Appliance
RSA Version/Condition:
Platform: CentOS
O/S Version: 6
IssueThe /var/log partition is getting full due to RabbitMQ log files not rotating.
To confirm that this is the problem, issue the command below.
ls -lash /var/log/rabbitmq
/var/log/rabbitmq/sa@localhost.log-20150329: 15G
/var/log/rabbitmq/sa@localhost.log-20150315.gz: 768M
/var/log/rabbitmq/sa@localhost.log-20150329.gz: 960M
/var/log/rabbitmq/sa@localhost.log-20150322.gz: 1.6G

CauseThe issue occurs because the /etc/logrotate.d/nw-rabbitmq.logrotate file is configured to rotate a file whose file path changed from version 10.3.x. to 10.4.x.
ResolutionIn order to resolve the issue, follow the steps below.
  1. Connect to the appliance via SSH as the root user.
  2. Issue the following command to edit the logrotate file:  vi /etc/logrotate.d/nw-rabbitmq.logrotate
  3. Find the line /var/netwitness/logcollector/rabbitmq/log/*.log { and replace it with /var/log/rabbitmq/*.log {
  4. Save and exit the file.
  5. Delete the large files.
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.