By default, Security Analytics core appliances are configured to dump core files to the /var/netwitness/<appliance_type> directory. At times, this may cause an issue with disk space and could potentially affect a core service from running.
The core file location may be altered, noting that core files that are too large to dump to the designated area will truncate.
Core dumps by default write to a core appliance's default working directory. That directory is defined in the configuration file located in the /etc/init directory and defined as <nwapplianceType>.conf.
This example explains how to change the core dump directory for a Log Decoder, noting the .conf file name in /etc/init.d and the location of the chdir statement will change according to the appliance type with which you are working. Also ensure the directory you select for the core dump contains enough space to accommodate a core dump of several gigabytes in size. Never specify the root ( / ) directory as the location.
Backup the existing logdecoder.conf file.
cp logdecoder.conf logdecoder.conf.bak<date>
Edit the log decoder configuration file using vi.
Locate this statement:
Change the path here to a new directory. (This example uses /var/tmp)
In order for the new parameter to take effect, the Log Decoder process must be restarted.
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.