.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
New rules do not appear in ESA Configuration after trying to add them in RSA Security Analytics
Issue
New rules do not appear in ESA Configuration after trying to add them in RSA Security Analytics.
Cause
There are a few possible reasons for this behavior.- The / (root directory) on the SA server is full.
- The MongoDB shows disk space related errors.
There may be occasions where temporary files are placed or generated on the appliance, but not removed.
This is commonly caused by a large number of nwtech dumps or when service packs or hotfix patches are manually installed but not removed.
Resolution
- SSH into the SA server and check the disk usage
df -h
- If high disk usage is noticed from step 1, investigate further to confirm what is filling up the disk usage.
You may use commands like the following examples to locate the large files.du -sh /root/* |sort -h
find / -not -path '/proc*' -type f -size +1G - When unneeded files are located, remove them or move them to alternate directories with more space if they need to stay on the system longer.
- Restart MongoDB by issuing the following commands.
service tokumx stop
service tokumx start
Product Details
RSA Product Set: Security AnalyticsRSA Product/Service Type: Event Stream Analysis (ESA)
RSA Version/Condition: 10.x
Platform: CentOS
O/S Version: EL6
Summary
This article describes possible reasons why new rules may not be seen in the ESA configuration screen.
Approval Reviewer Queue
RSA NetWitness Suite Approval Queue