No Transactions Showing in Forensics UI Due to Disk Space Used Up in RSA Web Threat Detection 4.6
RSA Product Set: Web Threat Detection RSA Product/Service Type: Forensics RSA Version/Condition: > 5.1 Platform: Windows
Web Threat Detection Log and Report files have grown to the point of using up most of the available disk space.
System Management Page -- certificate page will not load
Forensics Page -- cannot see hourly transactions, get alerts, or see the graph populate.
1. Determine if Processes are Running
ps -ef | grep -i silvertail
2. Determine if Disk space has been used up.
If available disk space is at or near 0% then proceed to the resolution steps.
1. Determine the age of the data in--
/var/opt/silvertail/data/logs and /var/opt/silvertail/data/reports
2. Determine if Diskreaper has been enabled, and if so what are the settings.
3. Determine if the settings in Diskreaper, as they are, can keep up with the amount of data being stored.
4. Ask the customer to provide their Data Retention policy(how long do they need to keep logs and reports. )
5. Set Diskreaper so that the system will be able to maintain an amount of data with the given system resources, that can meet the customer's Data Retention policy.
6. Consider asking the customer to move data off the system if there is no disk space, either to temporarily allow the system to be restored to functionality, or to free up more disk space for normal running.
Logs and Reports can be easily moved off and back with services restart to restore the data.
7 Restart all services and make sure FI and System Manager is functioning
8 if Forensics UI is still not populating then torginizer may not have written the .task file to have the hourly reports created even after data was removed and services were started) A. Go to /var/opt/silvertail/data/tasks
there should be failed tasks in indexer/failed
If the hourly *.task file is missing do this command:
This should create the task file. Go check the Forensics, it should be populating the hourly data.
Configuration and use of Diskreaper, available since version 4.6, is obtained from WTD Product documentation in SCOL System Management Guide