Skip to content
  • There are no suggestions because the search field is empty.

How can I reset Event Source Monitoring (ESM) stats in NetWitness?

Issue

The Event Source Monitoring stats must be reset due to old entries.


Tasks

The following tasks will be addressed in this article:
  1. Clear the Log Stats on the Log Decoder service (using the logStats method)
  2. Stop the services on the Security Analytics Server
  3. Remove files and directories on the Security Analytics Server
  4. Drop the appropriate MongoDB collection
  5. Start services on the Security Analytics Server

Resolution

Clear the Log Stats on the Log Decoder Service
Note: This clears the log stats relating to last receive times for log devices, sources and forwarders
  1. Log in to the Security Analytics UI.
  2. Navigate to the Explore page of the Log Decoder.
  3. Right-click on the decoder folder and select Properties
  4. Select logStats method from the drop-down menu in the Window at bottom called Properties for /decoder.
  5. Type op=clear in the parameters field.
  6. Click the Send button.
Note: This command produces no output in the Response Output box

NetWitness 10.x Stop the necessary services on the Security Analytics server
  1. SSH to the Security Analytics server.
  2. Stop the services using the following commands
service puppet stop
service collectd stop
service rsa-sms stop
NetWitness 11.x Stop the necessary services on the NetWitness Server
  1. SSH to the NetWitness server.
  2. Stop the services using the following commands
systemctl stop collectd.service
systemctl stop rsa-sms.service

Remove files and directories on the Security Analytics Server
  1. Change directory to /var/lib/netwitness/collectd via SSH.
  2. Type rm -f ESMAggregator at the command prompt
  3. Get the UUID from the Log Decoder
NetWitness 10.X use the /etc/puppet/scripts/node_id.py script.
NetWitness 11.X run the command: grep id: /etc/salt/minion.
  1. Type cd rrd/ at the command prompt.
  2. Type rm -rf esm_update* at the command prompt.
Remove the records in the ESM eventsources collection
  1. Log into the mongo esm database
For NetWitness 10.X type mongo esm at the command prompt.
For NetWitness 11.X type mongo esm -u deploy_admin -p --authenticationDatabase admin at the command prompt.
  1. Type db.eventsources.remove({}) at the mongo command prompt. Note: For more targeted record removal, refer to KB #000034830 - How-to Bulk Remove "sources" from Event Source Management ( ESM )
  2. Type quit() (or exit) at the mongo command prompt.

NetWitness 10.x Start the collectd, rsa-sms, and puppet services on the Security Analytics Server
Note: The automatic ` puppet agent -t` run that is triggered by puppet agent service restart will after some delay automatically restart the collectd and rsa-sms services in most cases.
service puppet start
service collectd start
service rsa-sms start
Note: If you can't access the NetWitness Web UI after restart of rsa-sms service, you may need to restart the jettysrv service as well using the following commands:
stop jettysrv
start jettysrv


NetWitness 11.x Start the collectd, rsa-sms, on the NetWitness Server
systemctl start collectd.service
systemctl start rsa-sms.service
systemctl restart nginx.service
 
Note: If you can't access the NetWitness Web UI after restart of rsa-sms service, you may need to restart the jettysrv service as well using the following commands:
systemctl stop jetty.service
systemctl start jetty.service

 
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.

Notes

All steps after "Clear the LogStats on the Log Decoder" are to be completed on the Security Analytics Server.

When removing the eventsources collection in the video, the command should have been db.eventsources.remove().  The missing parameters caused the error seen.

This article is marked "Internal" because it involves modifying mongo databases from the CLI.


Internal Comments

REST method is called logStats. This is not a typo.


Product Details

RSA Product Set: NetWitness, Security Analytics
RSA Product/Service Type: NetWitness Server/Security Analytics Server
RSA Version/Condition: 10.5.x, 10.6.x, 11.0.x, 11.1.x
Platform: CentOS
O/S Version: EL6

Summary

This article contains the steps necessary to reset the Event Source Monitoring stats in the event one would need to clear out stale entries in RSA Security Analytics 10.5,10.6. and RSA NetWitness 11.x


Approval Reviewer Queue

Technical approval queue