Skip to content
  • There are no suggestions because the search field is empty.

How to configure automated ESA storage maintenance in RSA NetWitness Platform

Issue

When the number of alerts stored in the ESA database has reached such a high quantity that the database size becomes very large, performance can be negatively impacted.


Tasks

In order to ensure that the ESA alerts database remains at a manageable size that does not negatively affect performance, it is possible to configure automatic maintenance on the ESA appliance, which will periodically remove alerts when specific user-defined thresholds are exceeded.

To configure ESA maintenance, follow the steps below.
  1. In the Security Analytics UI, navigate to Administration -> Services.
  2. Select the ESA appliance, click on the red Actions button in the far right column, and select View -> Explore.
  3. In the directory tree in the Explore view, expand the Alert directory followed by the Storage directory.
  4. Click on the maintenance directory.  Options for ESA maintenance will be displayed in the right pane.
  5. Modify the DatabaseDiskUsageLimitInMBDaysToDeleteWhenLimitExceeded, Schedule, and/or KeepAlertsForDays values to be what you desire.
  6. Change the value for Enabled to be true rather than false.
Once the changes have been applied, click on the  maintenance folder again to refresh the values.  After a moment, the  NextMaintenanceScheduledAt value should display the date and time of the next maintenance run that will be performed, as shown in the screenshot below.

User-added


The maintenance status can also be monitored in the /opt/rsa/esa/logs/esa.log file on the ESA appliance, which will display messages similar to the example below.
 
2015-03-12 09:46:48,197 [Carlos@65dd6c04-56] INFO  com.rsa.netwitness.carlos.config.ConfigurationMXBean - MongoStorageMaintenance changed by admin
2015-03-12 09:46:51,121 [scheduler_Worker-1] INFO  com.rsa.netwitness.core.alert.dispatch.SQLStorageMaintenance - Starting the scheduled database maintenance job with policy {keepAlertForDays=30, maxDiskUsageInMb=5120}
2015-03-12 09:46:51,122 [Carlos@3801f0b3-58] INFO  com.rsa.netwitness.core.alert.dispatch.SQLStorageMaintenance - Scheduled a database maintenance job with policy {keepAlertForDays=30, maxDiskUsageInMb=5120} to run at 2/28/15 2:00 AM
2015-03-12 09:46:51,129 [Carlos@3801f0b3-58] INFO  com.rsa.netwitness.carlos.config.ConfigurationMXBean - MongoStorageMaintenance changed by admin
2015-03-12 09:46:51,133 [scheduler_Worker-1] INFO  com.rsa.netwitness.core.alert.dispatch.SQLStorageMaintenance - Finished the database maintenance job, deleted 0 partitions, next run scheduled at 3/14/15 2:00 AM


If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.

Notes

Reference NetWitness 10.6.x online documentation for this topic, ESA Config: Configure ESA Storage

Product Details

RSA Product Set: NetWitness Logs & network
RSA Product/Service Type: Event Stream Analysis (ESA), Security Analytics UI
RSA Version/Condition: 10.6.x
Platform: CentOS
O/S Version: EL6

Summary

How to configure the NetWitness ESA appliance to periodically delete alerts in order to keep the database at a manageable level.


Approval Reviewer Queue

RSA NetWitness Suite Approval Queue