.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Disk Space full due to long running SDK queries in RSA Security Analytics 10.4+
Issue
"/" partition is full and core service crashed.
Cause
When running long “SDK content” queries from NwConsole on any Core appliance, NwConsole starts writing to the HIDDEN directory /root/.netwitness/SDK9/TempCache which is , obviously, located on “/” partition and fills it up with all cached sessions that were exported using the “SDK content” command, roughly around 4GB in size.Resolution
We should probably not run NwConsole on the same hardware as production systems and use "sdk content" calls. Use NwConsole on your desktop or some other system. There are installers for Mac and Windows.
We can also pass a smaller value for the cache to use on the "sdk content" call parameters. e.g., cacheSize=1gb
The default is 4gb, so if you don't have enough space, reduce it. The cache is automatically cleaned up while the call is running (to keep it approximately within the amount of requested space) and is completely deleted when the command finishes. However, if the command never finishes, then it will (obviously) not get cleaned up because somebody will eventually kill the NwConsole process. If NwConsole is killed, it will require the user to manually delete the cache directory.
Do not delete the cache directory WHILE NwConsole is running! That will prevent it from working properly and you will not get the correct output!
Internal Comments
Archive it
Product Details
RSA Product Set: Security AnalyticsRSA Product/Service Type: LogDecoder, PacketDecoder, Archiver, Concentrator, HybridLogs, Hybrid Packets
RSA Version/Condition: 10.4+
Approval Reviewer Queue
Technical approval queue