How to start/stop aggregation for an RSA NetWitness Platform device using the Device Explorer view.

Issue

When a UI is unresponsive and you are not able to confirm that aggregation is stopped or started on a host, it is possible to start/stop it using the explore view.

Resolution

In rare circumstances, the "Start Aggregation" or the "Stop Aggregation" capability may not respond or may not successfully stop aggregation at an appliance.  If this happens, there is a simple alternative way to send the Start/Stop Aggregation command via the Device Explorer view, as shown in the steps below.
 

1. Within Security Analytics (SA) navigate to the Admin -> Services page. Select the appropriate service (Broker, Concentrator, or Archiver) and navigate to the View -> System. Proceed to try to Stop Aggregation.
2. Proceed to View -> Logs, and see if Aggregation Threads have completed successfully.
3. If aggregation does not respond appropriately, navigate to the Device Explorer view, i.e. View -> Explore
4. Right-Click on the '/ ' where is the name of a core service (such as a ' /Concentrator') tree, and then select ' Properties'
5. Select from the Properties drop-down to send the stop or start commands. Once selected, proceed to issue the Send button to send the command.
6. Select to View -> Logs, and confirm that the aggregation threads have completed.

The below is an example of what the explore view looks like for an archiver service.

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.

Product Details

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue