This topic lists some Security Analytics log files, as well as descriptions of other files that are useful when debugging various issues in Security Analytics.
Security AnalyticsLog Files
The following files contain Security Analytics log information.
|Security Analytics||/var/lib/netwitness/uax/logs/ audit/audit.log|
Files of Interest
The following files are used in key Security Analytics components, and can be useful when trying to track down miscellaneous issues.
|puppet||/etc/puppet/puppet.conf||Puppet configuration file. This configuration file drives the behavior of both the Puppet Agent (all nodes) and the Puppet Master (SA node only). This file is modified by upgrade scripts when the system is upgraded, and at installation time for new installs.|
|puppet||/etc/sysconfig/puppet||Service configuration file for puppet agent.|
|puppet||/var/lib/puppet/ssl||This is where Puppet stores keys and certificates (among other PKI artifacts).|
Caution: Tread very carefully in this directory, as destroying artifacts in this directory can cause Puppet to stop functioning.
|puppet||/var/lib/puppet/node_id||This is where we store the SA node ID persistently. Do not delete or modify this file, or you may end up breaking your puppet installation.|
|puppet||/etc/puppet/scripts||This directory contains common scripts we have created that simplify our use of Puppet. Typically you do not need to use these scripts, except for some very arcane troubleshooting scenarios.|
|puppet||/var/lib/puppet||Runtime Puppet artifacts. Most of the time you do not need to inspect this directory, except as listed below.|
|rabbit||/etc/rabbitmq/rabbitmq.config||RabbitMQ configuration file. This configuration file partially drives the behavior of RabbitMQ, particularly around network/SSL settings. This file is downloaded and synchronized through Puppet.|
|rabbit||/etc/rabbitmq/rabbitmq-env.conf||RabbitMQ environment configuration file. This file specifies the RabbitMQ node name and location of the enabled plugins file.|
|rabbit||/etc/rabbitmq/rsa_enabled_plugins||This file specifies the list of enabled plugins in RabbitMQ. This file is managed by the RabbitMQ server, via the rabbitmq-plugins command. This file overrides the /etc/rabbitmq/enabled_plugins path, in order to work around issues with upgrading the Log Collector from 10.3.|
|rabbit||/etc/rabbitmq/ssl/server/key.pem||The RabbitMQ private key, as a PEM-encoded RSA private key. This file is a symbolic link to the Puppet node ID private key.|
|rabbit||/etc/rabbitmq/ssl/server/cert.pem||The RabbitMQ server certificate, as a PEM-encodedX.509 certificate. This file is a symbolic link to the Puppet node ID certificate.|
|rabbit||/etc/rabbitmq/ssl/truststore.pem||The RabbitMQ trust store. This file contains a sequence of PEM-encoded X.509 certificates, represented trust CAs. Any clients that connect to RabbitMQ and present a certificate that is signed by a CA in this list is considered a trusted client.|
|rabbit||/var/log/rabbitmq/mnesia/sa@localhost||The RabbitMQ Mnesia directory. Mnesia is the Erlang/OTP database technology, for storing Erlang objects persistently. RabbitMQ uses this technology for storing information such as the current set of policies, persistent exchanges and queues, and so forth.|
Importantly, the msg_store_persistent and msg_store_transient directories are where RabbitMQ stores messages that have been spooled to disk, e.g., if messages are published as persistent messages, or which have paged off to disk due to memory limitations. Keep a close eye on this directory, if the disk or memory alarms have tripped in RabbitMQ.
Caution: Do not delete these files manually. Use RabbitMQ tools to purge or delete queues. Modifying these files manually may render your RabbitMQ instance inoperable.
|mcollective||/etc/mcollective/client.cfg||MCollective client configuration file. This file is generally only applicable to the SA node.|
|mcollective||/etc/mcollective/server.cfg||MCollective server configuration file. The configuration file applies to all nodes, including the SA server node.|
|mcollective||/etc/mcollective/ssl/mcollective_server_public.pem||MCollective server public key. This file is file is generated on the SA Server and distributed via Puppet.|
|mcollective||/etc/mcollective/ssl/mcollective_server_private.pem||MCollective server private key. This file is file is generated on the SA Server and distributed via Puppet.|
|mcollective||/etc/mcollective/ssl/mcollective_client_private.pem||MCollective client private key. This file is file is only resident on the SA Server.|
|mcollective||/etc/mcollective/clients/mcollective_client_public.pem||MCollective client public key. This file is file is generated on the SA Server and distributed via Puppet.|