Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000035865 - How to modify/increase the Retention policy of esa.log in RSA NetWitness

Document created by RSA Customer Support

on Feb 12, 2018•Last modified by RSA Customer Support

on Mar 26, 2019

Version 2Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000035865
Applies To	RSA Product Set: Security Analytics, NetWitness Logs & Network RSA Product/Service Type: ESA Server RSA Version/Condition: 10.5.x, 10.6.x Platform: CentOS
Issue	In order to have the availability of more period of logs under the /opt/rsa/esa/logs/ directory on the ESA Server, use the following steps to increase the period of retention and have the visibility of longer period logs for debugging purposes.
Resolution	Please follow the below steps on the ESA server: This should now create 12 backup files in the /opt/rsa/esa/logs directory on the ESA server (until esa.log.12), each of file size 10 MB. Once it reaches the threshold, it will start the log rotation from the oldest file. SSH to the ESA Server and stop the rsa-esa service using the command below: # service rsa-esa stop Create a backup of the loggingConfiguration.json file and edit the highlighted parameters as shown in the default configuration below: # cp /opt/rsa/esa/conf/loggingConfiguration.json /opt/rsa/esa/conf/loggingConfiguration.json.backup This is the default configuration: [root@PNBDELSAESA opt] # cat /opt/rsa/esa/conf/loggingConfiguration.json {"type": "Dictionary","dictionary": {"entry": [{"key": "MaximumFileSize","value": {"type": "Number","number": {"type": "INT_64","int64":4194304}}},{"key": "MaxBackupIndex","value": {"type": "Number","number": {"type": "INT_32","int32": 9}}},{"key": "LogLevels","value": {"type": "Dictionary","dictionary": {"entry": [{"key": "root","value": {"type": "String","string": "INFO"}}]}}},{"key": "DefaultLogLevel","value": {"type": "String","string": "INFO"}}]}} For instance, we are increasing the number 9 to 12 in order to make 12 backup files as well as increasing the size of each log file from 4 MB to 10 MB, as shown below: [root@PNBDELSAESA opt] # vi /opt/rsa/esa/conf/loggingConfiguration.json {"type": "Dictionary","dictionary": {"entry": [{"key": "MaximumFileSize","value": {"type": "Number","number": {"type": "INT_64","int64":10485760}}},{"key": "MaxBackupIndex","value": {"type": "Number","number": {"type": "INT_32","int32": 12}}},{"key": "LogLevels","value": {"type": "Dictionary","dictionary": {"entry": [{"key": "root","value": {"type": "String","string": "INFO"}}]}}},{"key": "DefaultLogLevel","value": {"type": "String","string": "INFO"}}]}} Next, log into the RSA Security Analytics UI and navigate to Administration > Services > ESA > View > Explore > Service > Configuration > logging Change the MaxBackupIndex to 12. Change the MaximumFileSize to 10485760. This should now create 12 backup files in the /opt/rsa/esa/logs directory on the ESA server (until esa.log.12), each of file size 10 MB. Once it reaches the threshold, it will start the log rotation from the oldest file. # service rsa-esa start Once both of the parameters in steps 2 and 3 have been edited, start the rsa-esa service.
Notes	The changes will need to be done on both the json file (Step 2) and in the Explore view (Step 3) in order for the changes to take effect. Please note that if the number of backups and/or the size of the log files is set to a large value, they could fill up the logging partition and cause the system to shut down unexpectedly. You should change these parameters in small increments and watch the system carefully. Issues may not arise for some time depending on how busy the server is.

Attachments

Outcomes

0 Comments