000036431 - The /var partition gets full frequently after upgrading the RSA NetWitness server to version

Document created by RSA Customer Support Employee on Jun 16, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036431
Applies ToRSA Product Set: NetWitness Logs & Network, Security Analytics
RSA Product/Service Type: NetWitness Admin Server / Security Analytics Server
RSA Version/Condition:
IssueThe /var partition is at 100% usage quite often due to puppet yaml files.
CausePuppet content has been changed in version  At that version, the following has been added to the /etc/puppet/modules/appliance/manifests/init.pp file:

file { '/etc/netwitness/ng':
                ensure => directory,
                recurse => true,
                owner => "root",
                group => "root",
                mode => 0600

The result is that the yaml file (puppet report) becomes much larger.  Before version each yaml was around 100KB whereas each yaml in version is 6-7 MB in size. The file size can vary based on the number of files in /etc/netwitness/ng.  This can result in an issue as the yaml files are stored in the small /var partition.

Change /etc/puppet/modules/puppet-master/manifests/init.pp as following:

cron {'cleanup-puppet-reports-cronjob' :
        require => Package['rsa-puppet-scripts'],
        environment => "PATH=/bin:/sbin:/usr/bin:/usr/sbin",
        command => 'cd /var/lib/puppet/reports && find . -type f -name \*.yaml -mmin +120 -print0 |xargs -0 -n50 /bin/rm -f',
        user    => root,
       hour => 23,
        minute  =>  0,

After the change is applied to the RSA NetWitness admin server, the cron job is updated to run every hour and keep only 2 hours of yaml report files. By default, the cron job runs every day and it keeps 7 days of yaml report files.