.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Issue
Unable to delete event sources on the RSA Security Analytics UI, event sources re-appear after refreshing the page.Tasks
Unable to delete Event Sources from NW UI, under Admin > Event Sources > Manage
Resolution
- SSH to the Admin Server and backup the ESM Collection
mongoexport --db esm --collection eventsources --out /root/appliance_update.json -u deploy_admin -p [password] --authenticationDatabase admin
- Login to Mongo DB and verify the event source that needs to be deleted.
mongo -u deploy_admin -p <password>
use esm
db.eventsources.find({"_id" : "[Event Source IP Address]-[Event Source Type]"}).pretty()
Example:
db.eventsources.find({"_id" : "10.1.1.1-windows"}).pretty()
- After verifying, delete the event source.
db.eventsources.remove({"_id" : "[Event Source IP Address]-[Event Source Type]"})
Example:
db.eventsources.remove({"_id" : "10.1.1.1-windows"})
- Refresh the Event Source page to confirm if the event source is deleted.
Product Details
- Column 1: RSA Product Set: NetWitness Platform, NetWitness Platform
RSA Product/Service Type: Netwitness UI, ESA
RSA Version/Condition: 11.x
Platform: CentOS 7
Approval Reviewer Queue
RSA NetWitness Suite Approval Queue