on Mar 21, 2017This section contains the Security Analytics 10.6 pre-update, update, and post-update log messages with a description of each message and instructions on how to respond to these messages.
System Management Service (SMS)
SMS logs are posted to /var/log/install/sms_install.log on the SA host.
Java Version
| Message | timestamp host: SMS_PostInstall: WARN: Java Keystore file /opt/rsa/carlos/keystore is missing |
|---|---|
| Cause | The Java keystore is missing. |
| Required Action | Make sure that Java v1.8 is installed on the host. |
| Messages | timestamp host: SMS_PostInstall: INFO: Installed Java version is : java version "1.7.0_71" timestamp host: WARN: Java version is old and not compatible with the current SMS server. |
|---|---|
| Cause | Java version that installed on the host is not compatible with Security Analytics 10.5.1. |
| Required Action | Make sure that Java v1.8 is installed on the host. |
Disk Space
| Message | timestamp host: SMS_PostInstall: INFO: Free disk space on /opt is nGB timestamp host: SMS_PostInstall: WARN: Disk space check failed on /opt. The available disk space nGB is less than the recommended minimum disk space of 10GB. |
|---|---|
| Cause | Low or insufficient disk space allocated for the SMS service. |
| Required Action | RSA recommends that you provide a minimum of 10 GB of disk space for the SMS service to run optimally. |
Services
| Message | timestamp host: INFO RabbitMQ server is not installed. |
|---|---|
| Cause | The required RabbitMQ service is not installed. |
| Required Action | Install and restart the RabbitMQ service using the following commands. yum install rabbitmq-server service rabbitmq-server restart |
| Message | timestamp host: INFO RabbitMQ Server is not running. |
|---|---|
| Cause | The required RabbitMQ service is not running. |
| Required Action | Restart RabbitMQ service using the following commands. service rabbitmq-server restart |
| Message | timestamp host: INFO TokuMX Server is not running. |
|---|---|
| Cause | The required TokuMX service is not running. |
| Required Action | Restart TokuMX service using the following commands. service tokumx-server restart |
| Message | timestamp host: SMS_PostInstall: INFO: Puppet Server is not running. |
|---|---|
| Cause | The required Puppet service is not running. |
| Required Action | Restart Puppet service using the following commands. service puppet-server restart |
Log Collector Service (nwlogcollector)
Log Collector logs are posted to /var/log/install/nwlogcollector_install.log on the host running the nwlogcollector service.
Lock Box Verification Logs
| Message | timestamp.NwLogCollector_PostInstall: Lockbox Status : Failed to open lockbox: The lockbox stable value threshold was not met because the system fingerprint has changed. To reset the system fingerprint, open the lockbox using the passphrase. |
|---|---|
| Cause | The Log Collector Lockbox failed to open after the update. |
| Required Action | Log in to Security Analytics and reset the system fingerprint by resetting the stable system value password for the Lockbox as described in the Reset the Stable System Value topic under the Configure Lockbox Security Settings topic in the Log Collection Configuration Guide. |
| Message | NwLogCollector_PostInstall: Lockbox Status : Failed to open lockbox: Lockbox tampering was detected, so it cannot be read. |
|---|---|
| Cause | The Log Collector Lockbox was compromised. |
| Required Action | Log in to Security Analytics and reconfigure the Lockbox as described in the Configure Lockbox Security Settings topic in the Log Collection Configuration Guide. |
| Message | timestamp NwLogCollector_PostInstall: Lockbox Status : Not Found |
|---|---|
| Cause | The Log Collector Lockbox is not configured after the update. |
| Required Action | (Conditional) If you use a Log Collector Lockbox, log in to Security Analytics and configure the Lockbox as described in the Configure Lockbox Security Settings topic in the Log Collection Configuration Guide. |
| Message | timestamp: NwLogCollector_PostInstall: Lockbox Status : Lockbox maintenance required: The lockbox stable value threshold requires resetting. To reset the system fingerprint, select Reset Stable System Value on the settings page of the Log Collector. |
|---|---|
| Cause | You need to reset the stable value threshold field for the Log Collector Lockbox. |
| Required Action | Log in to Security Analytics and reset the stable system value password for the Lockbox as described in Reset the Stable System Value topic under the Configure Lockbox Security Settings topic in the Log Collection Configuration Guide. |
Event Stream Analysis (ESA)
Pre-Update Check
Pre-update check ESA logs are posted to/var/log/esa-rpm-pre-upgrade.log on the host running the ESA service.
| Message | Pre_upgrade_alert_count=number-of-alerts |
|---|---|
| Cause | Tells you the number of ESA alerts that exist on the host when you initiate the update. |
| Required Action | None (Informational) |
| Message | Pre_upgrade_rule_count=number-of-rules |
|---|---|
| Cause | Tells you the number of ESA rules that exist on the host when you initiate the update. |
| Required Action | None (Informational) |
| Message | Pre_upgrade_enrichment_connection_count=number-of-enrichment-sources |
|---|---|
| Cause | Tells you the number of ESA enrichment sources that exist on the host when you initiate the update. |
| Required Action | None (Informational) |
Post-Update Check
Post-update check ESA logs are posted to/var/log/esa-rpm-post-upgrade.log on the host running the ESA service.
| Message | Post_upgrade_alert_count=number-of-alerts |
|---|---|
| Cause | Tells you the number of ESA alerts that exist on the host after the host is updated. |
| Required Action | None (Informational) |
| Message | Post_upgrade_rule_count=number-of-rules |
|---|---|
| Cause | Tells you the number of ESA rules that exist on the host after the host is updated. |
| Required Action | None (Informational) |
| Message | Post_upgrade_enrichment_connection_count=number-of-enrichment-sources |
|---|---|
| Cause | Tells you the number of ESA enrichment sources that exist on the host after the host is updated. |
| Required Action | None (Informational) |
Reporting Engine Service
Update Check
Reporting Engine Update logs are posted to to/var/log/re_install.log file on the host running the Reporting Engine service.
| Message | timestamp : Available free space in /home/rsasoc/rsa/soc/reporting-engine [ existing-GB ] is less than the required space [ required-GB ] |
|---|---|
| Cause | Update of the Reporting Engine failed because you do not have enough disk space. |
| Required Action | Free up the disk space to accommodate the required space shown in the log message. See the Add Additional Space for Large Reports topic in the Reporting Engine Configuration Guide for instructions on how to free up disk space. |