000032869 - No Transactions Showing in Forensics UI Due to Disk Space Used Up in RSA Web Threat Detection 4.6

Document created by RSA Customer Support Employee on Jan 31, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000032869
Applies ToRSA Product Set: Web Threat Detection
RSA Product/Service Type: Forensics
RSA Version/Condition: > 5.1
Platform: Windows
IssueWeb Threat Detection Log and Report files have grown to the point of using up most of the available disk space.  
Symptoms are  
  • System Management Page --  certificate page will not load
  • Forensics Page --  cannot see hourly transactions, get alerts, or see the graph populate. 
Tasks1.  Determine if Processes are Running
  • ps -ef | grep -i silvertail
2. Determine if Disk space has been used up. 
  • df -h
If available disk space is at or near 0% then proceed to the resolution steps.
Resolution1.  Determine the age of the data in-- 
  • /var/opt/silvertail/data/logs  and  /var/opt/silvertail/data/reports
2.  Determine if Diskreaper has been enabled, and if so what are the settings.
3.  Determine if the settings in Diskreaper, as they are, can keep up with the amount of data being stored. 
4. Ask the customer to provide their Data Retention policy(how long do they need to keep logs and reports. )
5. Set Diskreaper so that the system will be able to maintain an amount of data with the given system resources, that can meet the customer's Data Retention policy.
6. Consider asking the customer to move data off the system if there is no disk space, either to temporarily allow the system to be restored to functionality, or to free up more disk space for normal running. 
Logs and Reports can be easily moved off and back with services restart to restore the data. 
7 Restart all services and make sure FI and System Manager is functioning
8 if Forensics UI is still not populating then torginizer may not have written the .task file to have the hourly reports created even  after data was removed and services were started)
A. Go to /var/opt/silvertail/data/tasks
  • there should be failed tasks in indexer/failed
If the hourly *.task file is missing do this command:
  • touch <yyyy-mm-dd>.task   
This should create the task file.  Go check the Forensics, it should be populating the hourly data. 

NotesConfiguration and use of Diskreaper, available since version 4.6,  is obtained from WTD Product documentation in SCOL System Management Guide