Skip to content
  • There are no suggestions because the search field is empty.

Netwitness Health Alarm showing high swap utilization for 5% usage

Issue

The Netwitness server Health and Wellness Alarm for high system swap utilization is triggered when the usage is exceeding 5%.


Cause

Alarm threshold set to low causes false positive alarms.


Workaround

Administrators can create a copy of the existing rule, modify the alarm threshold, enable the new alarm, and disable the Out-of-the-box rule.

  1. Make a copy of the existing policy and disable the original policy.

  2. Edit "SA Host Monitoring Policy" to increase the Alarm threshold for "High System Swap Utilization" to be 50% or greater.

  3. Save and Enable the new policy.


The following link is for the System Maintenance Guide and contains more precise instructions on managing these policies. See Managing Policies on page 17.
https://community.netwitness.com/s/article/685655

User-added


Resolution

Modify the out of box default setting for the High System Swap Utilization rule to be greater than 50%.

Please note that in Linux operating systems, the kernel is responsible for controlling the swap usage, not the NetWitness software. In recent kernels, swap usage can look abnormally high due to the kernel attempting to be efficient with its allocation. Once swap is utilized, the kernel continues to hold the space open for fast swapping of data even if the space is not actually being used or currently required. 

Due to this holding open of swap space, the High System Swap Utilization rule in the NetWitness Health & Wellness can alarm incorrectly. Administrators should use this alarm as a high water mark indicator only. If the system that has this alarm firing is also starting to experience performance issues, then further investigation is warranted. If only the alarm is going off, but no performance issues are being seen then this alarm can be safely ignored.

 


Product Details

NetWitness Product Set: NetWitness Platform
NetWitness Product/Service Type: All Nodes (Admin Server)
NetWitness Version/Condition: 11.x,12.x
Platform: CentOS/Alma


Approval Reviewer Queue

Technical approval queue