FortiSOAR Knowledge Base
FortiSOAR: Security Orchestration and Response software provides innovative case management, automation, and orchestration. It pulls together all of an organization's tools, helps unify operations, and reduce alert fatigue, context switching, and the mean time to respond to incidents.
Andy_G
Staff
Staff
Article Id 198247
Description
Every system needs running processes to fulfill its primary goal. However, at times something can go wrong and a process might crash. Depending on the configuration of the system a core dump is created. The primary reason to enable core dumps is for troubleshooting purposes. The dumped memory of the process can be used for debugging issues.

    If you are installing a fresh OVA for FortiSOAR™ v6.0.0, then the core dump for the FortiSOAR™ appliance is enabled by default. However, if you are upgrading from a lower version to FortiSOAR™ v6.0.0, then you are require to perform some steps to enable the core dump.

    The following procedure provides you with the steps to enable the core dump, assuming that you will use an additional disk for the core dump:

    Attach the additional disk.
        fdisk /dev/sdb

        mkfs.xfs /dev/sdb1

        mkdir /var/log/cyops/coredump
    This will create the "coredump" directory at cd /var/log/cyops
        mount /dev/sdb1 /var/log/cyops/coredump
    Edit /etc/fstab to add the following entry.   
    /dev/sdb1 /var/log/cyops/coredump xfs defaults 0 0
    Reboot the system.
   
    Check partition is visible using the following command lsblk

    Run the following commands to enable core dump:   
    echo "kernel.core_pattern=/var/log/cyops/coredump/core-%E-sig%s-user%u-group%g-pid%p-time%t" >> /etc/sysctl.d/cyops-core-dump.conf
    echo "kernel.core_uses_pid = 1" >> /etc/sysctl.d/cyops-core-dump.conf
    echo "fs.suid_dumpable = 2" >> /etc/sysctl.d/cyops-core-dump.conf
    echo "* hard core unlimited" >> /etc/security/limits.d/cyops-core-dump-limits.conf
    echo "* soft core unlimited" >> /etc/security/limits.d/cyops-core-dump-limits.conf
    echo "DefaultLimitCORE=infinity" >>/etc/systemd/system.conf
    echo "DAEMON_COREFILE_LIMIT='unlimited'" >> /etc/sysconfig/init
    systemctl daemon-reexec
    Reboot the system.

    To change permissions on the coredump folder:

    chmod 777 /var/log/cyops/coredump.

Contributors