.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
What logs to collect when opening JIRA tickets for RSA Security Analytics
Issue
What logs to collect when opening JIRA tickets for RSA Security AnalyticsWhich logs should I collect before I open a JIRA ticket with Engineering?
What are the paths to the troubleshooting logs needed when opening a JIRA ticket?
Resolution
- Column 1: SA Component
- Column 2: Logs Necessary for Troubleshooting
- Column 1: UI - Administration
- Column 2: Collect the HAR file by following the procedure mentioned in this link:
https://wiki.netwitness.local/display/NextGenWeb/Debug+Information#DebugInformation-HARFile
/var/lib/netwitness/uax/logs/sa.log
/var/lib/netwitness/uax/logs/threaddump.log
# tar -jcf /tmp/salogs-ui-administration.tar.bz2 /var/lib/netwitness/uax/logs/sa.log /var/lib/netwitness/uax/logs/threaddump.log
- Column 1: UI - Content Mgmt
UI - Investigator
UI - License Mgmt
UI - Malware Analysis
UI - Log Collection
UI - Report Definition
UI - Warehouse Connector - Column 2: Collect the HAR file by following the procedure mentioned in this link:
https://wiki.netwitness.local/display/NextGenWeb/Debug+Information#DebugInformation-HARFile
/var/lib/netwitness/uax/logs/sa.log
# tar -jcf /tmp/salogs-ui-cilmlrw.tar.bz2 /var/lib/netwitness/uax/logs/sa.log
- Column 1: UI - ESA
- Column 2: /var/lib/netwitness/uax/logs/sa.log
/opt/rsa/esa/logs/esa.log
# tar -jcf /tmp/salogs-ui-esa.tar.bz2 /var/lib/netwitness/uax/logs/sa.log /opt/rsa/esa/logs/esa.log
- Column 1: UI - SAW Mgmt
UI - SAW Query - Column 2: /var/lib/netwitness/uax/logs/sa.log
# tar -jcf /tmp/salogs-ui-saw-mgmt+query.tar.bz2 /var/lib/netwitness/uax/logs/sa.log
- Column 1: SA Server
- Column 2: For jetty 7:
/var/lib/netwitness/uax/logs/sa.log
/var/lib/netwitness/uax/logs/threaddump.log
/var/lib/netwitness/uax/logs/_ _ - .stderrout.log*
# tar -jcf /tmp/salogs-sa-server-jetty9.tar.bz2 /var/lib/netwitness/uax/logs/sa.log /var/lib/netwitness/uax/logs/threaddump.log /var/lib/netwitness/uax/logs/*.stderrout.log*
For jetty 9:
/var/lib/netwitness/uax/logs/sa.log
/var/lib/netwitness/uax/logs/threaddump.log
/var/lib/jetty9/logs/_ _ - .stderrout.log*
# untested
# tar -jcf /tmp/salogs-sa-server-jetty9.tar.bz2 /var/lib/netwitness/uax/logs/sa.log /var/lib/netwitness/uax/logs/threaddump.log /var/lib/jetty9/logs/*.stderrout.log* - .stderrout.log*
- Column 1: Live
Log Decoder
Packet Decoder
Concentrator
Broker
Archiver Service
Extractor Service
Warehouse Connector - Column 2: /var/log/messages.log
# tar -jcf /tmp/salog-messages.tar.bz2 /var/log/messages
- Column 1: Reporting Engine
- Column 2: /var/lib/netwitness/uax/logs/sa.log
/home/rsasoc/rsa/soc/reporting-engine/logs/reporting-engine.log (SA version 10.x.x or above)
/var/lib/netwitness/re/logs (SA version 9.x.x.x)
Source logs, source can be SA Device (i.e. Concentrator, Broker, Archiver) or SAW
# tar -jcf /tmp/salogs-reporting-engine.tar.bz2 /var/lib/netwitness/uax/logs/sa.log /home/rsasoc/rsa/soc/reporting-engine/logs/reporting-engine.log /var/lib/netwitness/re/logs
- Column 1: Malware Analysis
- Column 2: /var/lib/netwitness/rsamalware/jetty/logs
/var/lib/netwitness/rsamalware/spectrum/logs/spectrum.log.*
/var/lib/netwitness/uax/logs/sa.log
# tar -jcf /tmp/salogs-malware-srv.tar.bz2 /var/lib/netwitness/rsamalware/jetty/logs /var/lib/netwitness/rsamalware/spectrum/logs/spectrum.log.* /var/lib/netwitness/uax/logs/sa.log
- Column 1: Carlos
- Column 2: /var/lib/netwitness/uax/logs/sa.log
/var/lib/jetty9/logs/stderrout.log.*
# tar -jcf /tmp/salogs-carlos.tar.bz2 /var/lib/netwitness/uax/logs/sa.log /var/lib/jetty9/logs/stderrout.log.*
- Column 1: Event Stream Analysis (ESA)
- Column 2: /opt/rsa/esa/logs/esa.log
# tar -jcf /tmp/salogs-esa.tar.bz2 /opt/rsa/esa/logs/esa.log
- Column 1: SAW
- Column 2: /opt/rsa/saw/logs/saw.log* from all nodes
# tar -jcf /tmp/salogs-saw-node-1.tar.bz2 /opt/rsa/saw/logs/saw.log*
# tar -jcf /tmp/salogs-saw-node-2.tar.bz2 /opt/rsa/saw/logs/saw.log*
# tar -jcf /tmp/salogs-saw-node-3.tar.bz2 /opt/rsa/saw/logs/saw.log*
- Column 1: MAPR Zookeeper issues
- Column 2: /opt/mapr/zookeeper/zookeeper-3.*.*/logs/zookeeper.log
# needs testing
# tar -jcf /tmp/salogs-mapr-zookeeper-issues.tar.bz2 /opt/mapr/zookeeper/zookeeper-3.*.*/logs/zookeeper.log
- Column 1: Hive issues
- Column 2: /tmp/mapr/hive.log
# tar -jcf /tmp/salogs-hive-issues.tar.bz2 /tmp/mapr/hive.log
- Column 1: CLDB issues
- Column 2: /opt/mapr/logs/cldb.log
/opt/mapr/logs/warden.log
# tar -jcf /tmp/salogs-cldb-issues.tar.bz2 /opt/mapr/logs/cldb.log /opt/mapr/logs/warden.log
- Column 1: File Server
- Column 2: /opt/mapr/logs/mfs.log
# tar -jcf /tmp/salogs-file-server.tar.bz2 /opt/mapr/logs/mfs.log
- Column 1: Pivotal
- Column 2: /tmp/gpadmin/hive.log
/var/log/gphd/*.*
# tar -jcf /tmp/salogs-pivotol.tar.bz2 /tmp/gpadmin/hive.log /var/log/gphd
- Column 1: Installation
- Column 2: /postinstall.log and concole output/screenshots
# tar -jcf /tmp/salogs-installation.tar.bz2 /postinstall.log
- Column 1: Upgrades
- Column 2: /postinstall.log and concole output/screenshots
# tar -jcf /tmp/salogs-upgrades.tar.bz2 /postinstall.log
- Column 1: Licensing
- Column 2: /var/log/messages
/var/log/fneserver/fne*log
Output of the following commands from SA:
wget http://localhost:3333/fne/xml/properties
wget http://localhost:3333/fne/xml/devices
wget http://localhost:3333/fne/xml/reservations
wget http://localhost:3333/fne/xml/features
wget http://localhost:3333/fne/xml/diagnostics
From the affected appliance's ?Explore? view:
- Output from /sys/license/stats
- Right click 'properties' from /sys/license output from 'licInfo' dropdown
# untested
# tar -jcf /tmp/salogs-licensing.tar.bz2 /var/log/messages /var/log/fneserver/fne*log
# for i in properties devices reservations features diagnostics; do wget http://localhost:3333/fne/xml/${i} > /tmp/sa-licensing-${i}.out; tar -jrf /tmp/salogs-licensing.tar.bz2 /tmp/sa-licensing-${i}.out; done
- Column 1: Log Collector
- Column 2: /var/log/messages.log
/var/log/netwitness/logcollector/NwServerLog-###########.log (# = numeric) /var/log/netwitness/logcollector/NwServerLog-###########.logindex
# untested
# tar -jcf /tmp/salogs-log-collector.tar.bz2 /var/log/messages.log /var/log/netwitness/logcollector/NwServerLog-*.log
- Column 1: Concentrator Crashes
- Column 2: /var/netwitness/concentrator/metadb/core.*
# tar -jcf /tmp/salogs-concentrator-cores.tar.bz2 /var/netwitness/concentrator/metadb/core.*
- Column 1:
Warehouse Connector
- Column 2:
/var/log/netwitness/warehouseconnector/*.log
note: view the log using Linux command ' string '
Internal Comments
UserName:shurtj4/21/2014 9:56:09 PM - Added Goal and Fact Statements
Added relevant Goal and Fact statements for the article in order to abide with Primus best practices.
UserName:shurtj
8/6/2014 2:28:13 PM - Updated Article
Updated article and made changes to abide by Primus best practices. Changed title to include RSA Product and changed status to Copy Edited.
UserName:nichod5
8/13/2014 7:37:06 PM - added additional logs for warehosue connector
warehouse connector logs
UserName:mccotl
9/1/2014 7:02:59 AM - Admin
Corrected a couple of typos in article (spelling of 'Warehouse' as 'Warehosue'
UserName:salmeida
4/19/2024 11:02:59 AM - Archive
Request to archive some devices no longer and use and we now use sosreport which grabs all the files for the JIRA's
Product Details
RSA Security AnalyticsRSA Security Analytics Server
RSA Security Analytics Packet Decoder
RSA Security Analytics Log Decoder
RSA Security Analytics Log Collector
RSA Security Analytics Concentrator
RSA Security Analytics Broker
RSA Security Analytics Malware Analysis
RSA Security Analytics Event Stream Analysis
RSA Security Analytics IPDB Extractor
RSA Security Analytics Warehouse
RSA Security Analytics Warehouse Connector
Licensing
JIRA
Internal Only!!!
Approval Reviewer Queue
Technical approval queue