Host GS: Troubleshooting 10.6 Update Service Log Messages

Document created by RSA Information Design and Development on Mar 21, 2017
Version 1Show Document
  • View in full screen mode
  

This section contains the Security Analytics 10.6 pre-update, update, and post-update log messages with a description of each message and instructions on how to respond to these messages.

System Management Service (SMS)

SMS logs are posted to /var/log/install/sms_install.log on the SA host.

Java Version

               
Message

timestamp host: SMS_PostInstall: WARN: Java Keystore file /opt/rsa/carlos/keystore is missing

Cause

The Java keystore is missing.

Required Action Make sure that Java v1.8 is installed on the host.

 

               
Messages

timestamp host: SMS_PostInstall: INFO: Installed Java version is : java version "1.7.0_71"

timestamp host: WARN: Java version is old and not compatible with the current SMS server.

Cause

Java version that installed on the host is not compatible with Security Analytics 10.5.1.

Required Action Make sure that Java v1.8 is installed on the host.

Disk Space

               
Message

timestamp host: SMS_PostInstall: INFO: Free disk space on /opt is nGB

timestamp host: SMS_PostInstall: WARN: Disk space check failed on /opt. The available disk space nGB is less than the recommended minimum disk space of 10GB.

Cause

Low or insufficient disk space allocated for the SMS service.

Required Action RSA recommends that you provide a minimum of 10 GB of disk space for the SMS service to run optimally.

Services

               
Message

timestamp host: INFO RabbitMQ server is not installed.

Cause The required RabbitMQ service is not installed.
Required Action Install and restart the RabbitMQ service using the following commands.
yum install rabbitmq-server
service rabbitmq-server restart

 

               
Message

timestamp host: INFO RabbitMQ Server is not running.

Cause The required RabbitMQ service is not running.
Required Action Restart RabbitMQ service using the following commands.
service rabbitmq-server restart

 

               
Message

timestamp host: INFO TokuMX Server is not running.

Cause The required TokuMX service is not running.
Required Action Restart TokuMX service using the following commands.
service tokumx-server restart

 

               
Message

timestamp host: SMS_PostInstall: INFO: Puppet Server is not running.

Cause The required Puppet service is not running.
Required Action Restart Puppet service using the following commands.
service puppet-server restart

Log Collector Service (nwlogcollector)

Log Collector  logs are posted to /var/log/install/nwlogcollector_install.log on the host running the nwlogcollector service.

Lock Box Verification Logs

               
Message

timestamp.NwLogCollector_PostInstall: Lockbox Status : Failed to open lockbox: The lockbox stable value threshold was not met because the system fingerprint has changed. To reset the system fingerprint, open the lockbox using the passphrase.

Cause

The Log Collector Lockbox failed to open after the update. 

Required Action Log in to Security Analytics and reset the system fingerprint by resetting the stable system value password for the Lockbox as described in the Reset the Stable System Value topic under the Configure Lockbox Security Settings topic in the Log Collection Configuration Guide.

 

               
Message

NwLogCollector_PostInstall: Lockbox Status : Failed to open lockbox: Lockbox tampering was detected, so it cannot be read.
NwLogCollector_PostInstall: Lockbox Status : Failed to open lockbox: Lockbox tampering was detected, so it cannot be read.

Cause The Log Collector Lockbox was compromised.
Required Action Log in to Security Analytics and reconfigure the Lockbox  as described in the Configure Lockbox Security Settings topic in the Log Collection Configuration Guide.

 

               
Message

timestamp NwLogCollector_PostInstall: Lockbox Status : Not Found

Cause The Log Collector Lockbox is not configured after the update.
Required Action (Conditional) If you use a Log Collector Lockbox, log in to Security Analytics and configure the Lockbox  as described in the Configure Lockbox Security Settings topic in the Log Collection Configuration Guide.

 

               
Message

timestamp: NwLogCollector_PostInstall: Lockbox Status : Lockbox maintenance required: The lockbox stable value threshold requires resetting. To reset the system fingerprint, select Reset Stable System Value on the settings page of the Log Collector.

Cause

You need to reset the stable value threshold field for the Log Collector Lockbox.

Required Action Log in to Security Analytics and reset the stable system value password for the Lockbox  as described in Reset the Stable System Value topic under the Configure Lockbox Security Settings topic in the Log Collection Configuration Guide.

Event Stream Analysis (ESA) 

Pre-Update Check

 Pre-update check ESA  logs are posted to/var/log/esa-rpm-pre-upgrade.log on the host running the ESA service.

               
Message Pre_upgrade_alert_count=number-of-alerts
Cause Tells you the number of ESA alerts that exist on the host when you initiate the update. 
Required Action None (Informational)

 

               
Message Pre_upgrade_rule_count=number-of-rules
Cause Tells you the number of ESA rules that exist on the host when you initiate the update. 
Required Action None (Informational)

 

               
Message Pre_upgrade_enrichment_connection_count=number-of-enrichment-sources
Cause Tells you the number of ESA enrichment sources that exist on the host when you initiate the update. 
Required Action None (Informational)

Post-Update Check

Post-update check ESA  logs are posted to/var/log/esa-rpm-post-upgrade.log on the host running the ESA service.

               
Message Post_upgrade_alert_count=number-of-alerts
Cause Tells you the number of ESA alerts that exist on the host after the host is updated. 
Required Action None (Informational)

 

               
Message Post_upgrade_rule_count=number-of-rules
Cause Tells you the number of ESA rules that exist on the host after the host is updated.
Required Action None (Informational)

 

               
Message Post_upgrade_enrichment_connection_count=number-of-enrichment-sources
Cause Tells you the number of ESA enrichment sources that exist on the host after the host is updated.
Required Action None (Informational)

Reporting Engine Service 

Update Check

Reporting Engine Update logs are posted to to/var/log/re_install.log file on the host running the Reporting Engine service.

               
Message

timestamp : Available free space in /home/rsasoc/rsa/soc/reporting-engine [ existing-GB ] is less than the required space [ required-GB ]

Cause Update of the Reporting Engine failed because you do not have enough disk space. 
Required Action Free up the disk space to accommodate the required space shown in the log message. See the Add Additional Space for Large Reports topic in the Reporting Engine Configuration Guide for instructions on how to free up disk space.
You are here
Table of Contents > Troubleshoot Host Updates > Troubleshooting 10.6 Update Service Log Messages

Attachments

    Outcomes