Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000035865 - How to modify/increase the Retention policy of esa.log in RSA NetWitness

Document created by RSA Customer Support

on Feb 12, 2018

Version 1Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000035865
Applies To	RSA Product Set:- Netwitness RSA Product/Service Type:- ESA Server RSA Version/Condition: 10.5.x, 10.6.x Platform: CentOS
Issue	In order to have the availability of more period of logs under #cd /opt/rsa/esa/logs/ on ESA Server, we can use below steps to increase the period of retention and have the visibility of longer period logs for debugging purpose.
Resolution	Please follow the below steps on ESA server:- 1. SSH to ESA Server and stop rsa-esa service using below command:- #service rsa-esa stop 2. Please take the backup of this file and edit the below highlighted parameters #cp /opt/rsa/esa/conf/loggingConfiguration.json /opt/rsa/esa/conf/loggingConfiguration.json.backup This is default configuration: [root@PNBDELSAESA opt]# cat /opt/rsa/esa/conf/loggingConfiguration.json {"type": "Dictionary","dictionary": {"entry": [{"key": "MaximumFileSize","value": {"type": "Number","number": {"type": "INT_64","int64": 4194304}}},{"key": "MaxBackupIndex","value": {"type": "Number","number": {"type": "INT_32","int32": 9}}},{"key": "LogLevels","value": {"type": "Dictionary","dictionary": {"entry": [{"key": "root","value": {"type": "String","string": "INFO"}}]}}},{"key": "DefaultLogLevel","value": {"type": "String","string": "INFO"}}]}} For instance, we are increasing the number 9 to 12 in order to make 12 backup files and Increasing size of each log files from 4 MB to 10 MB [root@PNBDELSAESA opt]# vi /opt/rsa/esa/conf/loggingConfiguration.json {"type": "Dictionary","dictionary": {"entry": [{"key": "MaximumFileSize","value": {"type": "Number","number": {"type": "INT_64","int64": 10485760}}},{"key": "MaxBackupIndex","value": {"type": "Number","number": {"type": "INT_32","int32": 12}}},{"key": "LogLevels","value": {"type": "Dictionary","dictionary": {"entry": [{"key": "root","value": {"type": "String","string": "INFO"}}]}}},{"key": "DefaultLogLevel","value": {"type": "String","string": "INFO"}}]}} 3. Once have edited both of these parameters in json file ( Step 2 ) and ESA explore view ( Step 3 ), start rsa-esa service #service rsa-esa start 4. Log into the RSA Security Analytics UI. Go to Administration > Services > select ESA. Open the Explore view, then go to Services - Configuration - logging edit below parameters:- Change MaxBackupIndex to 12 and MaximumFileSize as 10485760 So it should now create 12 backup files (till esa.log.12) each of 10 MB under this path on ESA server #cd /opt/rsa/esa/logs/ and once it reaches the threshold then will start the log rotation from the oldest file.
Notes	Changes as mentioned in json file ( step 2 ) and through explore view ( Step 4 ) are both required to implement the changes. Please note that if the number of backups and/or the size of the log files is set to large they could fill up the logging partition and cause the system to shutdown unexpectedly. You should change these parameters in small increments and watch the system carefully. Issues may not arise for some time depending on the busyness of the server.

Attachments

Outcomes

0 Comments

Recommended Content