000037323 - How to clear all alerts/incidents via mongodb in NetWitness 11.x

Document created by RSA Customer Support Employee on Apr 12, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037323
Applies ToRSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Event Stream Analysis
RSA Version/Condition: 11.x
Platform: CentOS
IssueHow to remove all alerts/incidents from mongo db level in NW 11.x.
ResolutionTo clear all alerts/incidents from mongo db level, follow the steps below.
* We recommend to set a retention period for Alerts and Incidents as described below(page 47~48). 

  1. SSH to ESA appliance and connect to mongo db as follows. # mongo admin -u deploy_admin -p netwitness 
    > use respond-server 
    > db.alert.find().pretty() 
    > db.incident.find().pretty() 
  2. Disable or deactivate current deployed ESA/Report rules in NW GUI before clearing all alerts/incidents. 
  3. Remove all alerts/incidents and then reindex db as follows. * Do not use ".drop" because it removes collections as well. Instead use ".remove" .
    > db.alert.remove({"receivedTime":{$lte: new Date(new Date().setDate(new Date().getDate()))}}) 
    > db.incident.remove({"created":{$lte: new Date(new Date().setDate(new Date().getDate()))}}) 
    > db.alert.reIndex() 
    > db.incident.reIndex() 
    > exit 
  4.  After refreshing NW GUI, you are able to see that there exist no alerts/incident as shown below.