Hi Team,
When we checked the RSA logs in our secur-id server we got observer this argument.
Go to /opt/rsa/am directory and do
du -h --max-depth=1 to see which directories take up the most space
typically /opt/rsa/am/server/logs will have a lot, especially if trace log was left in verbose
the other dir to check is /opt/rsa/am/radius
both these locations can fill with logs that do not get archived and deleted as part of normal system log maint.
radius can fill up typically if you have a radius probe that checks if radius is up, every few seconds
(I have seen overly aggressive probes like this fill up radius dir)
Example: (mine is very light no where near any limits)
rsaadmin@edavis-vm150:/opt/rsa/am> du -h --max-depth=1
4.0K ./logs
12M ./Log_archive
200M ./pgsql
212K ./webtier_customizations
9.8G ./updates
267M ./rsapgdata
du: cannot read directory './radius/backups': Permission denied
1.5G ./radius
92K ./webtier_VirtualHosts
1.6G ./server
248K ./Oracle
853M ./webtier_configurations
1.6G ./appserver
4.0K ./migration
1.4M ./replication
854M ./components
705M ./backup
2.1M ./install_logs
26M ./config
160M ./utils
52K ./etc
18G .
cd server
rsaadmin@edavis-vm150:/opt/rsa/am/server> du -h --max-depth=1
8.0K ./lib
4.0K ./autodeploy
907M ./logs
4.0K ./original
8.0K ./orchestration
4.0K ./pending
72K ./bin
4.0K ./upload
20K ./exportdata
21M ./apps
96K ./wrapper
4.0K ./downloads
702M ./servers
8.0K ./migration
184K ./backup_config
148K ./security
232K ./init-info
100K ./config
4.0K ./rsa_rpts
20K ./licenses
4.0K ./tmp
12K ./nodemanager
1.6G .
Now, if rsapgdata is huge, please open a case as this may be filling with logs that can be removed, such as, perhaps you have an ldap connection that doesn't work and doesn't harm normal operations, but makes a database log entry for every authentication about ldap issues, this can also fill up the drive.
You can just delete the logs from radius and server dir but you may want to sftp them off the machine instead, just in case there is some forensics you need to retain, but authentication forensics are in the normal database as authentication, administrator, and system activity logs, and these three are under the log archiving routine and can be saved as flat files. If you send everything to syslog (everyone should be doing this) then the logs on the RSA server are not that important as long as your syslog receiver/SIEM is sound.
Go to /opt/rsa/am directory and do
du -h --max-depth=1 to see which directories take up the most space
typically /opt/rsa/am/server/logs will have a lot, especially if trace log was left in verbose
the other dir to check is /opt/rsa/am/radius
both these locations can fill with logs that do not get archived and deleted as part of normal system log maint.
radius can fill up typically if you have a radius probe that checks if radius is up, every few seconds
(I have seen overly aggressive probes like this fill up radius dir)
Example: (mine is very light no where near any limits)
rsaadmin@edavis-vm150:/opt/rsa/am> du -h --max-depth=1
4.0K ./logs
12M ./Log_archive
200M ./pgsql
212K ./webtier_customizations
9.8G ./updates
267M ./rsapgdata
du: cannot read directory './radius/backups': Permission denied
1.5G ./radius
92K ./webtier_VirtualHosts
1.6G ./server
248K ./Oracle
853M ./webtier_configurations
1.6G ./appserver
4.0K ./migration
1.4M ./replication
854M ./components
705M ./backup
2.1M ./install_logs
26M ./config
160M ./utils
52K ./etc
18G .
cd server
rsaadmin@edavis-vm150:/opt/rsa/am/server> du -h --max-depth=1
8.0K ./lib
4.0K ./autodeploy
907M ./logs
4.0K ./original
8.0K ./orchestration
4.0K ./pending
72K ./bin
4.0K ./upload
20K ./exportdata
21M ./apps
96K ./wrapper
4.0K ./downloads
702M ./servers
8.0K ./migration
184K ./backup_config
148K ./security
232K ./init-info
100K ./config
4.0K ./rsa_rpts
20K ./licenses
4.0K ./tmp
12K ./nodemanager
1.6G .
Now, if rsapgdata is huge, please open a case as this may be filling with logs that can be removed, such as, perhaps you have an ldap connection that doesn't work and doesn't harm normal operations, but makes a database log entry for every authentication about ldap issues, this can also fill up the drive.
You can just delete the logs from radius and server dir but you may want to sftp them off the machine instead, just in case there is some forensics you need to retain, but authentication forensics are in the normal database as authentication, administrator, and system activity logs, and these three are under the log archiving routine and can be saved as flat files. If you send everything to syslog (everyone should be doing this) then the logs on the RSA server are not that important as long as your syslog receiver/SIEM is sound.