Article Number
000001448
Applies To
RSA Product Set: NetWitness Endpoint
RSA Product/Service Type: NetWitness Endpoint
RSA Version/Condition: 4.4.0.x
Issue
RSA ECAT Server Service does not start up.
Cause
The most common causes are license expired, password was changed for the Service Account. This article deals with disk space issues on the ECAT\Server\Files Folder.
Resolution
Over a period of time the \ECAT\Server\Files folder can fill up the allotted space on the Drive.
This folder contains sub-folders name based on timestamp on when the module was first discovered by an agent scan. Within each sub-folder there is one or more copies of the module inside the subfolder.
More details about modules is in the User Guide (sub heading “Manage Modules”)
If the drive gets full, you can resolve the issue by the following methods:
- Look for files in the ECAT\Server\Files\Machines folder. This is where the MFT, Memory dumps and requested are deposited. Delete or move the files to another location.
- Check the ECAT\Server\Files\Uploaded folder. This contains unsupported kernels that are to be uploaded to RSA for Identification of kernel drivers. For more details, read the section Manage Agents -> Kernel Adaption System” in the Endpoint User Guide.
Workaround
You can conserve disk space by limiting the downloaded module size. The steps are as follows; UI -> Global Parameters -> Automatically Download New Modules. You have the option to disable this feature, or change the File Size Limit from 10 MB, to 1 MB.
As last resort you can delete files out of the \ECAT\Server\Files folder. Below is suggested method for finding the largest modules.
(below is example, change drive to where the \Server\Files on your system).
GetChildItem -path e:\ECAT\Server\Files -recurse | sort length -desc | Select-Object -first 20 | Out-File largeModules.txt