|Applies To||RSA Product Set: NetWitness Logs & Network, Security Analytics|
RSA Product/Service Type: NetWitness Admin Server / Security Analytics Server
RSA Version/Condition: 10.6.5.2
|Issue||The /var partition is at 100% usage quite often due to puppet yaml files.|
|Cause||Puppet content has been changed in version 10.6.5.2. At that version, the following has been added to the /etc/puppet/modules/appliance/manifests/init.pp file:|
The result is that the yaml file (puppet report) becomes much larger. Before version 10.6.5.2 each yaml was around 100KB whereas each yaml in version 10.6.5.2 is 6-7 MB in size. The file size can vary based on the number of files in /etc/netwitness/ng. This can result in an issue as the yaml files are stored in the small /var partition.
After the change is applied to the RSA NetWitness admin server, the cron job is updated to run every hour and keep only 2 hours of yaml report files. By default, the cron job runs every day and it keeps 7 days of yaml report files.