Skip to content
  • There are no suggestions because the search field is empty.

How to delete entries from the Incident Management (IM) database in RSA Security Analytics 10.x

Tasks

This article addresses how to delete events in the Incident Management (IM) database that has been populated by old events over time which aren't needed anymore.
To accomplish this, you will need SSH access to the ESA appliance as the root user.

Resolution

The IM database resides on the ESA appliance. Connect to the ESA appliance via SSH as the root user and perform the following:

Log into the mongo IM database

mongo im -u im -p im
Check how many alerts are present in the alert collection
> db.alert.count()


Removing Alerts shown in Incident \ Alerts of Incident Management from Mongo

Example Command 1) The following command would remove alerts by time range (between 1st/Nov/2000 and 1st/Dec/2000)
> db.alert.remove({receivedTime: { $gte: ISODate('2000-11-01'), $lt: ISODate('2000-12-01') }})
Example Command 2) The following command will remove ALL alerts from IM alert collection
> db.alert.remove({})
Can confirm the number of records after removal
> db.alert.count()



As per KB # 000032518 - Incidents page fails to load due to huge number of alerts waiting to be processed in RSA Security Analytics 10.5

If the size of the alert collection is of concern, then you may need to reduce using:

> db.alert.reIndex()
Note: If you remove entries from the collection without reducing reIndex, the size of collection may remain the same after remove as seen in show collections


Removing Incidents shown in Incident \ Queue of Incident Management

The following will remove ALL incidents from the from IM incidents collection
> db.incident.count()
> db.incident.remove({})
> db.incident.count()

If the size of the incident collection is of concern, then you may need to reduce using:

> db.incident.reIndex()

A service restart may be needed if the change doesn't reflect in the Security Analytics UI. To restart the IM Service, connect to the Security Analytics Server via SSH as the root user and enter the following commands:
service rsa-im stop
service rsa-im start


If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.

Notes

In 10.6.X there are options to delete single alerts from IM or delete by time range through the Web UI:

Delete IM Alerts: 10.6.x Product Documentation Reference: https://community.rsa.com/docs/DOC-84518
Delete IM Incidents: 10.6.x Product Documentation Reference: https://community.rsa.com/docs/DOC-84496


Product Details

RSA Product Set: Security Analytics
RSA Product/Service Type: Incident Management (IM), Event Stream Analysis (ESA)
RSA Version/Condition: 10.5.x, 10.6.x
Platform: CentOS
Platform (Other): MongoDB
O/S Version: EL6

Summary

This is a simple quick way of how to delete the events populated in the Incident Management Module.


Approval Reviewer Queue

RSA NetWitness Suite Approval Queue