000035865 - How to modify/increase the Retention policy of esa.log in RSA NetWitness

Document created by RSA Customer Support Employee on Feb 12, 2018Last modified by RSA Customer Support Employee on Mar 26, 2019
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000035865
Applies ToRSA Product Set: Security Analytics, NetWitness Logs & Network
RSA Product/Service Type: ESA Server
RSA Version/Condition: 10.5.x, 10.6.x
Platform: CentOS
Issue

In order to have the availability of more period of logs under the /opt/rsa/esa/logs/ directory on the ESA Server, use the following steps to increase the period of retention and have the visibility of longer period logs for debugging purposes. 

ResolutionPlease follow the below steps on the ESA server:

This should now create 12 backup files in the /opt/rsa/esa/logs directory on the ESA server (until esa.log.12), each of file size 10 MB. Once it reaches the threshold, it will start the log rotation from the oldest file.
 



  1. SSH to the ESA Server and stop the rsa-esa service using the command below:
     

    # service rsa-esa stop


     
  2. Create a backup of the loggingConfiguration.json file and edit the highlighted parameters as shown in the default configuration below:
     

    # cp /opt/rsa/esa/conf/loggingConfiguration.json /opt/rsa/esa/conf/loggingConfiguration.json.backup

    This is the default configuration:
     

    [root@PNBDELSAESA opt] # cat /opt/rsa/esa/conf/loggingConfiguration.json 


    {"type": "Dictionary","dictionary": {"entry": [{"key": "MaximumFileSize","value": {"type": "Number","number": {"type": "INT_64","int64":4194304}}},{"key": "MaxBackupIndex","value": {"type": "Number","number": {"type": "INT_32","int32": 9}}},{"key": "LogLevels","value": {"type": "Dictionary","dictionary": {"entry": [{"key": "root","value": {"type": "String","string": "INFO"}}]}}},{"key": "DefaultLogLevel","value": {"type": "String","string": "INFO"}}]}}


    For instance, we are increasing the number 9 to 12 in order to make 12 backup files as well as increasing the size of each log file from 4 MB to 10 MB, as shown below:


    [root@PNBDELSAESA opt] # vi /opt/rsa/esa/conf/loggingConfiguration.json 


    {"type": "Dictionary","dictionary": {"entry": [{"key": "MaximumFileSize","value": {"type": "Number","number": {"type": "INT_64","int64":10485760}}},{"key": "MaxBackupIndex","value": {"type": "Number","number": {"type": "INT_32","int32": 12}}},{"key": "LogLevels","value": {"type": "Dictionary","dictionary": {"entry": [{"key": "root","value": {"type": "String","string": "INFO"}}]}}},{"key": "DefaultLogLevel","value": {"type": "String","string": "INFO"}}]}} 


  3. Next, log into the RSA Security Analytics UI and navigate to Administration > Services > ESA > View > Explore > Service > Configuration > logging
    • Change the MaxBackupIndex to 12.
    • Change the MaximumFileSize to 10485760.

    This should now create 12 backup files in the /opt/rsa/esa/logs directory on the ESA server (until esa.log.12), each of file size 10 MB. Once it reaches the threshold, it will start the log rotation from the oldest file.



    # service rsa-esa start

  4. Once both of the parameters in steps 2 and 3 have been edited, start the rsa-esa service.
Notes

The changes will need to be done on both the json file (Step 2) and in the Explore view (Step 3) in order for the changes to take effect.

Please note that if the number of backups and/or the size of the log files is set to a large value, they could fill up the logging partition and cause the system to shut down unexpectedly. You should change these parameters in small increments and watch the system carefully. Issues may not arise for some time depending on how busy the server is.

Attachments

    Outcomes