000035865 - How to modify/increase the Retention policy of esa.log in RSA NetWitness

Document created by RSA Customer Support Employee on Feb 12, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035865
Applies ToRSA Product Set:- Netwitness
RSA Product/Service Type:- ESA Server
RSA Version/Condition: 10.5.x, 10.6.x
Platform: CentOS

In order to have the availability of more period of logs under #cd /opt/rsa/esa/logs/ on ESA Server, we can use below steps to increase the period of retention and have the visibility of longer period logs for debugging purpose. 

ResolutionPlease follow the below steps on ESA server:-

1. SSH to ESA Server and stop rsa-esa service using below command:-

#service rsa-esa stop

2. Please take the backup of this file and edit the below highlighted parameters

#cp /opt/rsa/esa/conf/loggingConfiguration.json /opt/rsa/esa/conf/loggingConfiguration.json.backup

This is default configuration:
[root@PNBDELSAESA opt]# cat /opt/rsa/esa/conf/loggingConfiguration.json 
{"type": "Dictionary","dictionary": {"entry": [{"key": "MaximumFileSize","value": {"type": "Number","number": {"type": "INT_64","int64": 4194304}}},{"key": "MaxBackupIndex","value": {"type": "Number","number": {"type": "INT_32","int32": 9}}},{"key": "LogLevels","value": {"type": "Dictionary","dictionary": {"entry": [{"key": "root","value": {"type": "String","string": "INFO"}}]}}},{"key": "DefaultLogLevel","value": {"type": "String","string": "INFO"}}]}}

For instance, we are increasing the number 9 to 12 in order to make 12 backup files and Increasing size of each log files from 4 MB to 10 MB 
[root@PNBDELSAESA opt]# vi /opt/rsa/esa/conf/loggingConfiguration.json 
{"type": "Dictionary","dictionary": {"entry": [{"key": "MaximumFileSize","value": {"type": "Number","number": {"type": "INT_64","int64": 10485760}}},{"key": "MaxBackupIndex","value": {"type": "Number","number": {"type": "INT_32","int32": 12}}},{"key": "LogLevels","value": {"type": "Dictionary","dictionary": {"entry": [{"key": "root","value": {"type": "String","string": "INFO"}}]}}},{"key": "DefaultLogLevel","value": {"type": "String","string": "INFO"}}]}}

3.  Once have edited both of these parameters in json file ( Step 2 ) and ESA explore view ( Step 3 ), start rsa-esa service

#service rsa-esa start

4. Log into the RSA Security Analytics UI.
Go to Administration  > Services > select ESA.
Open the Explore view, then go to Services - Configuration - logging edit below parameters:-
Change MaxBackupIndex to 12 and MaximumFileSize as 10485760

So it should now create 12 backup files (till esa.log.12) each of 10 MB under this path on ESA server #cd /opt/rsa/esa/logs/ and once it reaches the threshold then will start the log rotation from the oldest file.

Changes as mentioned in json file ( step 2 ) and through explore view ( Step 4 ) are both required to implement the changes. 
Please note that if the number of backups and/or the size of the log files is set to large they could fill up the logging partition and cause the system to shutdown unexpectedly. You should change these parameters in small increments and watch the system carefully. Issues may not arise for some time depending on the busyness of the server.