Sys Maintenance: Debugging Information

Document created by RSA Information Design and Development on Mar 22, 2017Last modified by RSA Information Design and Development on Aug 1, 2017
Version 8Show Document
  • View in full screen mode
  

Security Analytics Log Files

The following files contain Security Analytics log information.

                                                         
Component File
puppet/var/log/messages
rabbitmq/var/log/rabbitmq/sa@localhost.log
/var/log/rabbitmq/sa@localhost-sasl.log
mcollective/var/log/mcollective.log
collectd/var/log/messages
nwlogcollector/var/log/messages
nwlogdecoder/var/log/messages
sms/opt/rsa/sms/wrapper.log
sms/opt/rsa/sms/logs/sms.log 
sms/opt/rsa/sms/logs/audit/audit.log
Security Analytics/var/lib/netwitness/uax/logs/sa.log
Security Analytics/var/lib/netwitness/uax/logs/ audit/audit.log
Security Analytics/opt/rsa/jetty9/logs

Files of Interest

The following files are used in key Security Analytics components, and can be useful when trying to track down miscellaneous issues.

                                                                                                            
Component File Description
puppet/etc/puppet/puppet.confPuppet configuration file. This configuration file drives the behavior of both the Puppet Agent (all nodes) and the Puppet Master (SA node only). This file is modified by upgrade scripts when the system is upgraded, and at installation time for new installs.
puppet/etc/sysconfig/puppetService configuration file for puppet agent.
puppet/var/lib/puppet/sslThis is where Puppet stores keys and certificates (among other PKI artifacts).

Caution: Tread very carefully in this directory, as destroying artifacts in this directory can cause Puppet to stop functioning.

puppet/var/lib/puppet/node_idThis is where we store the SA node ID persistently. Do not delete or modify this file, or you may end up breaking your puppet installation.
puppet/etc/puppet/scriptsThis directory contains common scripts we have created that simplify our use of Puppet. Typically you do not need to use these scripts, except for some very arcane troubleshooting scenarios.
puppet/var/lib/puppetRuntime Puppet artifacts. Most of the time you do not need to inspect this directory, except as listed below.
rabbit/etc/rabbitmq/rabbitmq.configRabbitMQ configuration file. This configuration file partially drives the behavior of RabbitMQ, particularly around network/SSL settings. This file is downloaded and synchronized through Puppet.
rabbit/etc/rabbitmq/rabbitmq-env.confRabbitMQ environment configuration file. This file specifies the RabbitMQ node name and location of the enabled plugins file.
rabbit/etc/rabbitmq/rsa_enabled_pluginsThis file specifies the list of enabled plugins in RabbitMQ. This file is managed by the RabbitMQ server, via the rabbitmq-plugins command. This file overrides the /etc/rabbitmq/enabled_plugins path, in order to work around issues with upgrading the Log Collector from 10.3.
rabbit/etc/rabbitmq/ssl/server/key.pemThe RabbitMQ private key, as a PEM-encoded RSA private key. This file is a symbolic link to the Puppet node ID private key.
rabbit/etc/rabbitmq/ssl/server/cert.pemThe RabbitMQ server certificate, as a PEM-encodedX.509 certificate. This file is a symbolic link to the Puppet node ID certificate.
rabbit/etc/rabbitmq/ssl/truststore.pemThe RabbitMQ trust store. This file contains a sequence of PEM-encoded X.509 certificates, represented trust CAs. Any clients that connect to RabbitMQ and present a certificate that is signed by a CA in this list is considered a trusted client.
rabbit/var/log/rabbitmq/mnesia/sa@localhostThe RabbitMQ Mnesia directory. Mnesia is the Erlang/OTP database technology, for storing Erlang objects persistently. RabbitMQ uses this technology for storing information such as the current set of policies, persistent exchanges and queues, and so forth.

Importantly, the msg_store_persistent and msg_store_transient directories are where RabbitMQ stores messages that have been spooled to disk,  e.g., if messages are published as persistent messages, or which have paged off to disk due to memory limitations. Keep a close eye on this directory, if the disk or memory alarms have tripped in RabbitMQ.

Caution: Do not delete these files manually. Use RabbitMQ tools to purge or delete queues. Modifying these files manually may render your RabbitMQ instance inoperable.

mcollective/etc/mcollective/client.cfgMCollective client configuration file. This file is generally only applicable to the SA node.
mcollective/etc/mcollective/server.cfgMCollective server configuration file. The configuration file applies to all nodes, including the SA server node.
mcollective/etc/mcollective/ssl/mcollective_server_public.pemMCollective server public key. This file is file is generated on the SA Server and distributed via Puppet.
mcollective/etc/mcollective/ssl/mcollective_server_private.pemMCollective server private key. This file is file is generated on the SA Server and distributed via Puppet.
mcollective/etc/mcollective/ssl/mcollective_client_private.pemMCollective client private key. This file is file is only resident on the SA Server.
mcollective/etc/mcollective/clients/mcollective_client_public.pemMCollective client public key. This file is file is generated on the SA Server and distributed via Puppet.
You are here
Table of Contents > Troubleshoot Security Analytics > Debugging Information

Attachments

    Outcomes