000029264 - The /var partition reaches 100% capacity due to the MegaSAS.log file in RSA Security Analytics 10.4 prior to 10.4.0.2

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029264
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Packet Hybrid, Log Hybrid
RSA Version/Condition: 10.4.0.0, 10.4.0.1
Platform: CentOS
O/S Version: 6
IssueThe MegaSAS.log file on the appliance causes the /var partition to reach 100% capacity.
This causes the appliance to go down and prevents SSH connections.
CauseThis issue occurs because the nwraidutil.py script log, located at /var/lib/collectd/MegaSAS.log, is writing such a vast amount of data that it is filling the /var partition to capacity.
ResolutionThis issue has been permanently fixed in Security Analytics version 10.4.0.2.
Workaround

In order to resolve the issue until the permanent fix can be applied, you must edit the /usr/lib/collectd/python/nwraidutil.py script on lines 67, 68 69 and 70 to add "-nolog" to the lines, as shown below.


Original lines of the script:


67 pdlistOut = nwutils.runCmd(self.raidUtil,"-pdlist -aall")
68 ldlistOut = nwutils.runCmd(self.raidUtil,"-LDInfo -Lall -aall")
69 ldpdinfoOut = nwutils.runCmd(self.raidUtil,"-ldpdinfo -aall")
70 adapinfoOut = nwutils.runCmd(self.raidUtil,"-adpallinfo -aall")

The same lines after being modified:


67 pdlistOut = nwutils.runCmd(self.raidUtil,"-pdlist -aall -nolog")
68 ldlistOut = nwutils.runCmd(self.raidUtil,"-LDInfo -Lall -aall -nolog")
69 ldpdinfoOut = nwutils.runCmd(self.raidUtil,"-ldpdinfo -aall -nolog")
70 adapinfoOut = nwutils.runCmd(self.raidUtil,"-adpallinfo -aall -nolog")

After modifying and saving the script file, the large log file (/var/lib/MegaSAS.log) should be deleted.

If you prefer not to use an editor or an editor is not available, this short sed recipe can be used to modify the relevant lines. If you are unfamiliar with the sed tool, please use the editor-based approach.


'/nolog/b;s/\(self.raidUtil,".*\)"/\1 -nolog"/g'

After making the changes, restart the collectd service with the following command:  service collectd restart
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.

Attachments

    Outcomes