000035355 - Large Number of Large Files Associated with Malware Analysis Appliance in RSA Security Analytics

Document created by RSA Customer Support Employee on Jul 13, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035355
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Malware Analysis
RSA Version/Condition: 10.5.x, 10.6.x
Platform: CentOS
O/S Version: 6
 
IssueThe Lucene Index on the Malware Appliance creates a large number of large index files over time.  The more activity on the system, the more files will be created.
These files may not be noticed until the backup scripts are run as the backup files for the Malware Appliance my be quite large.  
You may find numerous, large files with the file extension ".cfs" in these folders:
/var/lib/rsamalware/spectrum/index/com.netwitness.malware.server.domain.model.FileEntry/_eug.cfs
/var/lib/rsamalware/spectrum/index/com.netwitness.malware.server.event.domain.model.EventEntity/_h31.cfs
/var/lib/rsamalware/spectrum/index/com.netwitness.malware.server.event.domain.model.MetaValue/_gux.cfs
/var/lib/rsamalware/spectrum/logs/spectrum.log.1_index/_6.cfs
/var/lib/rsamalware/spectrum/logs/spectrum.log.2_index/_8.cfs
/var/lib/rsamalware/spectrum/logs/spectrum.log.3_index/_2.cfs
/var/lib/rsamalware/spectrum/logs/spectrum.log.4_index/_7.cfs
/var/lib/rsamalware/spectrum/logs/spectrum.log.5_index/_0.cfs
/var/lib/rsamalware/spectrum/logs/spectrum.log.6_index/_4.cfs
/var/lib/rsamalware/spectrum/logs/spectrum.log.7_index/_0.cfs
/var/lib/rsamalware/spectrum/logs/spectrum.log.8_index/_f.cfs
/var/lib/rsamalware/spectrum/logs/spectrum.log_index/_2.cfs
/var/lib/rsamalware/spectrum/repository/index/_100.cfs

This folder list is not exhaustive and you may find more folders with cfs files in this part of your appliance filesystem tree.
 
CauseThese files are used by the Lucene Index in the Malware appliance and are considered system files.
Resolution

There is no resolution for these files as they are considered normal.  
Removing the files will cause problems when restarting the Malware Appliance service and thus should not be removed.
Using the Malware Appliance legacy WebUI "Data Reset" function does not remove these index files.  

Attachments

    Outcomes