Hosts GS:

Document created by RSA Information Design and Development on Jul 27, 2016
Version 1Show Document
  • View in full screen mode
 

This section contains the Security Analytics 10.5.1 pre-update, update, and post-update log messages with a description of each message and instructions on how to respond to these messages.

System Management Service (SMS)

SMS logs are posted to /var/log/install/sms_install.log on the SA host.

Java Version

                             
Messagetimestamp host: SMS_PostInstall: WARN: Java Keystore file /opt/rsa/carlos/keystore is missing
CauseThe Java keystore is missing.
Required ActionMake sure that Java v1.8 is installed on the host.
Message

timestamp host: SMS_PostInstall: INFO: Installed Java version is : java version "1.7.0_71"

timestamp host: WARN: Java version is old and not compatible with the current SMS server.

CauseJava version that installed on the host is not compatible with Security Analytics 10.5.1.
Required ActionMake sure that Java v1.8 is installed on the host.

Disk Space

                 
Messages

timestamp host: SMS_PostInstall: INFO: Free disk space on /opt is nGB

timestamp host: SMS_PostInstall: WARN: Disk space check failed on /opt. The available disk space nGB is less than the recommended minimum disk space of 10GB.

CauseLow or insufficient disk space allocated for the SMS service.
Required ActionRSA recommends that you provide a minimum of 10 GB of disk space for the SMS service to run optimally.

Services

                 
Message

timestamp host: INFO RabbitMQ server is not installed.

CauseThe required RabbitMQ service is not installed.
Required Action

Required Action Install and restart the RabbitMQ service using the following commands.

yum install rabbitmq-server

service rabbitmq-server restart

 

                 
Message

timestamp host: INFO RabbitMQ Server is not running.

Cause

The required RabbitMQ service is not running.

Required Action

Restart RabbitMQ service using the following command:.

service rabbitmq-server restart

 

                 
Messagetimestamp host: INFO TokuMX Server is not running.
CauseThe required TokuMX service is not running.
Required Action

Required Action Restart TokuMX service using the following command:

service tokumx-server restart

 

                 
Message

timestamp host: SMS_PostInstall: INFO: Puppet Server is not running.

CauseThe required Puppet service is not running.
Required Action

Required Action Restart Puppet service using the following command:

service puppet-server restart

Log Collector Service (nwlogcollector)

Log Collector logs are posted to /var/log/install/nwlogcollector_install.log on the host running the nwlogcollector service.

Lock Box Verification Logs

                 
Messagetimestamp.NwLogCollector_PostInstall: Lockbox Status : Failed to open lockbox: The lockbox stable value threshold was not met because the system fingerprint has changed. To reset the system fingerprint, open the lockbox using the passphrase.
CauseThe Log Collector Lockbox failed to open after the update.
Required ActionLog in to Security Analytics and reset the system fingerprint by resetting the stable system value password for the Lockbox as described in the Reset the Stable System Value topic under Configure Lockbox Security Settings topic.

 

                 
MessageNwLogCollector_PostInstall: Lockbox Status : Failed to open lockbox: Lockbox tampering was detected, so it cannot be read. NwLogCollector_PostInstall: Lockbox Status : Failed to open lockbox: Lockbox tampering was detected, so it cannot be read.
CauseThe Log Collector Lockbox was compromised.
Required ActionLog in to Security Analytics and reconfigure the Lockbox as described in the Configure Lockbox Security Settings topic.

 

                 
Message

timestamp NwLogCollector_PostInstall: Lockbox Status : Not Found

CauseThe Log Collector Lockbox is not configured after the update.
Required Action(Conditional) If you use a Log Collector Lockbox, log in to Security Analytics and configure the Lockbox as described in the Configure Lockbox Security Settings topic.

 

                 
Message

timestamp: NwLogCollector_PostInstall: Lockbox Status : Lockbox maintenance required: The lockbox stable value threshold requires resetting. To reset the system fingerprint, select Reset Stable System Value on the settings page of the Log Collector.

CauseYou need to reset the stable value threshold field for the Log Collector Lockbox.
Required ActionLog in to Security Analytics and reset the stable system value password for the Lockbox as described in Reset the Stable System Value topic under Configure Lockbox Security Settings topic.

Event Stream Analysis (ESA)

Pre-Update Check

Pre-update check ESA logs are posted to /var/log/esa-rpm-pre-upgrade.log on the host running the ESA service.

                 
MessagePre_upgrade_alert_count=number-of-alerts
Cause Tells you the number of ESA alerts that exist on the host when you initiate the update.
Required ActionNone (Informational)

 

                 
MessagePre_upgrade_rule_count=number-of-rules
Cause Tells you the number of ESA rules that exist on the host when you initiate the update.
Required ActionNone (Informational)

 

                 
MessagePre_upgrade_enrichment_connection_count=number-of-enrichment-sources
Cause Tells you the number of ESA enrichment sources that exist on the host when you initiate the update.
Required ActionNone (Informational)

Post-Update Check

Post-update check ESA logs are posted to /var/log/esa-rpm-post-upgrade.log on the host running the ESA service.

                 
MessagePost_upgrade_alert_count=number-of-alerts
Cause Tells you the number of ESA alerts that exist on the host after the host is updated.
Required ActionNone (Informational)

 

                 
MessagePost_upgrade_rule_count=number-of-rules
Cause Tells you the number of ESA rules that exist on the host after the host is updated.
Required ActionNone (Informational)

 

                 
MessagePost_upgrade_enrichment_connection_count=number-of-enrichment-sources
Cause Tells you the number of ESA enrichment sources that exist on the host after the host is updated.
Required ActionNone (Informational)

Reporting Engine Service

Update Check

Reporting Engine Update logs are posted to to /var/log/re_install.log file on the host running the Reporting Engine service.

                 
Messagetimestamp: Available free space in /home/rsasoc/rsa/soc/reporting-engine [ existing-GB ] is less than the required space [ required-GB ]
CauseUpdate of the Reporting Engine failed because you do not have enough disk space.
Required Action

Free up the disk space to accommodate the required space shown in the log message. See Add Additional Space for Large Reports for instructions on how to free up disk space.

You are here: (For 10.5.1 and Later Updates) Troubleshooting Host Updates > Troubleshooting 10.5.1 Update Service Log Messages

Attachments

    Outcomes