.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
RSA Security Analytics - Unable to see the triggered alerts in Alert summary page
Issue
Unable to see the triggered alerts in Alert summary page due to the following error:Error loading data
Unable to drill down the ESA > Explore View > Alerts > Storage
Cause
Tokumx folder reaches above threshold.To check the size of tokumx folder, run below command:
du -sh /opt/rsa/database/tokumx
Resolution
Clean up the tokumx database completely and initiate with a fresh database.WARNING! This will delete old triggered alerts from the database.
1. Stop puppet, ESA and tokumx first:
service puppet stop
service rsa-esa stop
service tokumx stop
2. Remove all alerts from DB, essentially start from fresh (will return "true" once completed):
service rsa-esa stop
service tokumx stop
service tokumx start
mongo esa -u esa -p esa
db.alert.drop()
3. Start the services
mongo esa -u esa -p esa
db.alert.drop()
service puppet start
service rsa-esa start
After that, no data will be seen in Alerts->Summary page.
service rsa-esa start
Drill down of Explore view is possible, set alert maintenance using KB How to configure automated ESA storage maintenance in RSA Security Analytics 10.4
Internal Comments
Archive it
Product Details
RSA Product Set: RSA Security AnalyticsRSA Product/Service Type: Event Stream Analysis (ESA)
RSA Version/Condition: 10.4.x,10.5.x,10.6.x
Platform: CentOS
O/S Version: EL6
Approval Reviewer Queue
Technical approval queue