000033977 - How to Remove Old Data from a Warehouse in RSA Security Analytics 10.x

Document created by RSA Customer Support Employee on Sep 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000033977
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Core Appliance
RSA Version/Condition: 10.X
Platform: CentOS
IssueIf your warehouse becomes full, then many notifications will be generated such as: 
  • Notifications that a warehouse connector stream has stopped processing.
  • Notifications that the warehouse is full or becoming full.
These can adversely affect performance, so it is important that space on the warehouse is managed so that it does not become completely filled up.
ResolutionIn order to remove old files from the warehouse create a script on a warehouse connector that will run on an hourly basis as a cron job.
Here the mount point of the NFS Share on the warehouse in the example below is /mnt/saw/lonsaw
Your mount point will be different but but will contain the rsasoc/v1/... directory structure.

The contents of the script is as follows:
find /mnt/saw/lonsaw/rsasoc/v1/logs/data* -mtime +365 -exec rm {} \;
find /mnt/saw/lonsaw/rsasoc/v1/sessions/data* -mtime +365 -exec rm {} \;
find /mnt/saw/lonsaw/rsasoc/v1/logs/data -type d -empty -delete
find /mnt/saw/lonsaw/rsasoc/v1/sessions/data -type d -empty -delete

  1. Create a file with the contents of the script as above (eg call it /root/saw-cleanup.sh)
  2. Modify the retention time to suit your environment. For example the script above deletes files that are older than 365 days and removes any empty directories.
  3. Make sure that this file is executable (chmod +x saw-cleanup.sh)
  4. Run this file as a cronjob. To do this add the line below to the /etc/crontab file on the warehouse connector appliance.
13 * * * * root run-parts /root/saw-cleanup.sh > /dev/null 2>&1

This will run the script every hour at 13 minutes past the hour and delete any files older than 365 days.