000035359 - Root partition has become full due to lighttpd logs on an RSA Security Analytics appliance

Document created by RSA Customer Support Employee on Jul 28, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035359
Applies ToRSA Product Set: Security Analytics, NetWitness Logs & Packets
Platform: CentOS
O/S Version: EL5, EL6
IssueThe root ( / ) partition may become 100% full on an RSA Security Analytics appliance for a variety of reasons and lighttpd logs could be one of them. 
TasksGet the output of the commands below from the problematic appliance in order to identify which directory and file is taking the most.
  • Just Directories
    du --apparent-size --human-readable --one-file-system / | sort -h | tail -n30

  • Directories and Files
    du --all --apparent-size --human-readable --one-file-system / | sort -h | tail -n30

  • Perform ls of files showing largest 200 files
    find / -mount \( -type d -o -type f \) | xargs stat -c "%s %n" {} 2>&1 | sort -n | tail -n200

ResolutionUsing the above commands, you can identify whether or not most of the root partition is being utilized by a single log file for lighttpd service which is the web server used to host the RSA Security Analytics repository files.
13G     /usr/local/var/log/lighttpd/error.log

Issue the commands shown below to resolve the issue.
#service lighttpd stop
#tail –n100000 /usr/local/var/log/lighttpd/error.log > /tmp/error.log                          
#cd /tmp
#gzip -9 error.log
#rm -f /usr/local/var/log/lighttpd/error.log
#mv /tmp/error.gz /usr/local/var/log/lighttpd
#service lighttpd start

If you are unsure of any of the steps above or experience any issues, contact RSA Customer Support and quote this article number for further assistance.