Understanding and managing log archival maintenance in RSA Authentication Manager 8.x
4 years ago
Originally Published: 2018-08-15
Article Number
000044355
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
 
Issue
Instructions or good practices for log archival and database maintenance are necessary in order to make report generation efficient and prevent the Authentication Manager, appliance disk drive from filling completely and preventing the system from working properly.
 
Authentication Manager 8.x has an internal PostgreSQL (pgSQL) database that includes data on;
  1. Users
    • Internal database users with complete information; e. g., UserID and email address, or
    • A pointer to the UserID (samAccountName, UPN) in an external LDAP identity source, such as Active Directory.
  2. Agents and RADIUS clients,
  3. Tokens, and
  4. Log data information for authentication activity, administrative activity and system errors.
 
This information can be viewed through reports generated in the Security Console. However, log data for authentication activity, administrative activity and system errors will ,over time, make the internal database grow larger and larger; which will make report generation take longer and longer.  This could potentially expand the database to fill the disk drive with catastrophic results, such as crashing the authentication system.
 
This is why Authentication Manager comes with default parameters to archive and purge log data, to help prevent the database and log archives from filling the disk.  As an Authentication Manager administrator you must make a determination as to the shelf-life or usefulness.  Consideration must be paid to how long should you maintain it for reporting purposes in light of how slow reports run, and more importantly how full the Authentication Manager disk becomes.
 
The following definitions apply:
  • Run time log data is authentication activity, successes, failures, node secret sent, offline day download for Windows agents, etc. that happen within Authentication Manager.
  • Administrative log data are the actions of your super admin and help desk administrators.  For example, when and to whom they assign or delete tokens, agents, etc.  This log covers basically everything that can be done in the Authentication Manager Security Console or Operations Console.
  • System log data is Java and system errors, critical event warnings, time setbacks, etc.
  • Online means data in the internal PostgreSQL database and available in Security Console reports.
  • Offline means data that has been archived and is no longer in the internal PostgreSQL database.  The data still exists in .csv files located in /opt/rsa/am/Log_archive or on a remote file system.
  • Validate log includes a digital signature file with each archived .csv file.
  • Export means move data the from internal PostgreSQL database to an external archive .csv file.
  • Purge means remove data from the internal PostgreSQL database.
Tasks
  1. Decide what data is necessary for reports and how long to keep it online.
  2. Decide how long to keep archived data on the Authentication Manager server, and 
  3. How to create a scheduled archive job to do this.
Resolution
Log archive options are in the Security Console under Administration > Archive Audit Logs.  You can either perform a single archive right now or schedule archive activities.
 
 Archives

As the administrator, you need to decide:
  1. What you need for online reports, which come from and are also stored in the internal PostgreSQL database on the Authentication Manager primary server.
  2. What you need for archived reports, which are harder to get at and are older.
  3. The three types of report data are:
    1. Run time authentication activity,
    2. Administrative activity of your super admins and help desk admins in the Authentication Manager database, and 
    3. System and debug messages and errors.
  4. The size of your Authentication Manager PostgreSQL database, including:
    1. The relation of the size to total disk space available on the hard drive, using disk usage (du) and disk filesystem (df) commands in Linux to measure,
    2. When/how often to run database compress to recover allocated but unused database table space, with the full vacuumdb command, and 
    3. The performance of reports, while also noting the LDAP lookup times also affect report performance, possibly more so than database size.
Notes
Purging and exporting/archiving log data to the local disk at the same time might actually cause problems in a system that has very little free disk space.  The purge of the data may not immediately make the database smaller, since it can mark table space as available for overwrite, while the export locally creates new files on the local disk, taking up more disk space , which could fill up the disk.  You may want to lower your archive retention of stored offline data from the default 180 days first, or in an emergency situation where free disk space is almost gone to purge only, not archive.

The following configurations all contribute to more data in the internal database:
  • Enabling verbose logging on the Authentication Manager server,
  • Using RSA Authentication Agent for Windows 7.3.3 [120] and lower that utilize offline days,
  • Keepalive authentication tests from Citrix NetScalers,
  • Intermittent or inconsistent connections from Authentication Manager to LDAP, and
  • Other tools such as Nagios.

Backing up the database locally from the Operations Console contributes to disk space usage in /opt/rsa/am/backup.  Also,backup to remote file systems uses local disk space while staging or creating the backup.

You may need to SSH into the Linux operating system and use the following commands to determine the cause of low disk space:
  • df -h to see free space on the entire disk 
rsaadmin@am82p:/opt/rsa/am/backup> df -h
Filesystem      Size  Used Avail Use% Mounted on
rootfs           99G  8.1G   86G   9% /
udev            2.0G  128K  2.0G   1% /dev
tmpfs           2.0G   48K  2.0G   1% /dev/shm
/dev/sda1        99G  8.1G   86G   9% /
  • du -sh to see utilization in the current directory
rsaadmin@am82p:/opt/rsa/am/backup> du -sh
4.3M    .​

Related Articles

Trending Articles

Don't see what you're looking for?