000038369 - Esper metrics collection can impact performance in some environments with ESA rules that consume large amounts of memory for RSA NetWitness Platform 11.4

Document created by RSA Customer Support Employee on Jan 24, 2020
Version 1Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000038369
Applies ToRSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: ESA host/ESA Correlation service
RSA Version/Condition: 11.4.x
IssueMetric collection in Esper 8.2.0 is different than in the previous 7.1.0 version. For an ESA Correlation server with rules that consume a lot of memory, the gathering of metrics can consume significant CPU, leading to a drop in EPS when the metrics are being collected. To avoid the drop in EPS, the default interval to collect metrics in RSA NetWitness Platform 11.4 is set to a very large value (999999 days). This prevents the Esper metrics from being collected.
CauseEsper upgrade from 7.1.0 to 8.2.0 with RSA Netwitness Platform 11.4 and higher on the Event Stream Analysis server.
WorkaroundIf you need metrics collected at a more frequent interval, you can update the background-metrics-frequency parameter on the ESA Correlation service.
 

Do not set the metrics collection interval lower than five minutes.



  1. In the RSA NetWitness Platform UI,
    1. Go to Admin > Services.
    2. Select the ESA Correlation service.
    3. Select Action (Red Gear) > View > Explore
  2. In the Explore view node list on the left side, select Correlation > Esper.
  3. In the right panel, enter a new metrics collection interval value for background-metrics-frequency.
  4. Restart the ESA Correlation service.
    1. From the UI, go to Admin > Services, select the ESA Correlation service, and then select Action (Red Gear) > Restart
    2.  From the command line:



systemctl restart rsa-nw-correlation-server

Attachments

    Outcomes