000032783 - How to retrieve historical info on every RSA NetWitness appliance for debug purposes

Document created by RSA Customer Support Employee on Jun 29, 2018Last modified by RSA Customer Support Employee on Jun 29, 2018
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000032783
Applies ToRSA Product Set: Security Analytics, NetWitness Logs & Network
RSA Product/Service Type: Health & Wellness, Security Analytics Server, Core Services
Platform: CentOS
IssueBesides the Health and Wellness monitoring section available from the RSA NetWitness Platform UI, it may sometimes be useful to retrieve important historical info such as Memory, CPU, disks IO, Swap and network traffic directly from CentOS CLI using SAR.
TasksCentOS provides by default a cron job set up in /etc/cron.d/sysstat that populates /var/log/sa/ with these important system logs and stores them for a month.
We can extract info from the logs ordered by the most recent one using the scripts below thanks to the Sar command on every Security Analytics appliance.

for i in `ls -t /var/log/sa/sa[0-1]*` ;do sar -r -f $i  ;done > sar_debug_memory.log


for i in `ls -t /var/log/sa/sa[0-1]*` ;do sar -S -f $i  ;done > sar_debug_Swap.log


for i in `ls -t /var/log/sa/sa[0-1]*` ;do sar -p -f $i  ;done > sar_debug_cpu.log

Disks IO

for i in `ls -t /var/log/sa/sa[0-1]*` ;do sar -b -f $i  ;done > sar_debug_IO.log


for i in `ls -t /var/log/sa/sa[0-1]*` ;do sar -n DEV -f $i  ;done > sar_debug_Network.log

The scripts will create respectively sar_debug_memory.log, sar_debug_Swap.log, sar_debug_cpu.log, sar_debug_IO.log, sar_debug_Network.log files and we can view the files using vi editor for example (if ran from the /root directory):

vi /root/sar_debug_Network.log

Please note the average at the end of everyday report:

For more info about the columns and options, I would suggest to consult the SAR man page.