Sys Maintenance: Manage Dashboards and Alerts

Document created by RSA Information Design and Development Employee on Jan 30, 2020Last modified by RSA Information Design and Development Employee on Apr 24, 2020
Version 9Show Document
  • View in full screen mode
 

You can modify the dashboard and alerts to monitor details of interest.

Modify Dashboard

You can modify the dashboard to edit visualization, delete visualization, customize the panel title, or change the positions of visualization. You can organize the visualization in the dashboard to display data of your interest on the top.

Note: Any changes to the visualization in a dashboard modifies the visualization content.

To modify the dashboard:

  1. Log in to Kibana UI, click .
  2. Select the dashboard you want to modify. For example, Hosts overview.
  3. Click Edit and make the necessary changes to the dashboard. For example, you can edit or delete visualization, customize panel.
  4. Click Save.

Delete Dashboard

Once the dashboard is deleted, you cannot monitor the details specific to the dashboard.

To delete the dashboard:

  1. Log in to Kibana UI, click .
  2. Select the check box of the dashboard you want to delete and click Delete.

You can delete one or more dashboards at a time.

Delete Visualization

To delete the visualization:

  1. Log in to Kibana UI and click .
  2. In the Visualizations view, select the visualizations you want to delete.
  3. Click Delete visualization.

    You can delete one or more visualization at a time.

Modifying Existing Trigger

To modify existing trigger:

  1. Log in to Kibana UI, click .
  2. Select the monitor whose trigger is to be modified.
  3. In the Triggers section, select the trigger you want to modify from list of Triggers and select Edit.
  4. In the Edit Trigger view, make the necessary changes. You can change the Trigger name, severity level, Trigger condition.
  5. Click Update to save the changes.

Advanced Configurations

Reset Default Content

Reset allows you to bring back all the default content such as Dashboards, Visualizations, Monitors to its original or default state. Reset configuration overwrites any changes made to the default content.

Note: Reset does not make any changes to the default content.

To reset the default content:

  1. SSH to Admin Server and connect to nw-shell.
  2. Connect to metric server using the following command:

    connect metrics-server

  3. Log in to nw-shell and enter the username and password.
  4. Go to the reset option using the following command:

    cd /rsa/metrics/content/reset-content

  5. To invoke the method, using the following command:

    invoke

Restore Default Content

This allows you to restore all the missing or deleted default content that includes Dashboards, visualization, monitors. This does not affect the existing, modified default content or newly created content. For example, if you have deleted any dashboard or visualization and want to retrieve the missing content.

To retrieve the missing default content:

  1. SSH to Admin Server and connect to nw-shell.
  2. Connect to metric server using the following command:
    connect metrics-server
  3. Log in to nw-shell and enter the username and password.
  4. Navigate to the restore option using the following command:

    cd /rsa/metrics/content/restore-content

  5. To invoke the method, using the following command:

    invoke

Enable Services

This is used to enable all the services to start sending metrics to the Elasticsearch. For example, if you have disabled few services from sending to Elasticsearch and would want to enable all those disabled services to start sending again.

  1. SSH to Admin Server and connect to nw-shell.
  2. Connect to metric server using the following command:

    connect metrics-server

  3. Login to nw-shell and enter username and password.
  4. Navigate to the enable option using the following command:

    cd /rsa/metrics/elastic/enable-all

  5. Execute the following command to enable all services to start sending to Elasticsearch:

    invoke

Disable Services

This is used to disable all the services to send metrics to the Elasticsearch. Once disabled, none of the services will be sending to the Elasticsearch and the dashboards will not be updated, and alerts will not be triggered.

  1. SSH to Admin Server and connect to nw-shell.
  2. Connect to metric server using the following command:

    connect metrics-server

  3. Log in to nw-shell and enter the username and password.
  4. Navigate to the Elasticsearch using the following command:

    cd /rsa/metrics/elastic/disable-all

  5. Execute the following command to disable all services to stop writing to Elasticsearch:

    invoke

Note: This disables all services to send metrics to Elasticsearch but does not stop metric beat to send system level metrics to Elasticsearch. You need to manually stop metric beat on all hosts if you wish to stop using Health and Wellness.

Update Interval

You can update a common interval for all the services to send data to the Elasticsearch. For Example, if all the services are set to different intervals and you want to configure all the services to send data to elastic search on the same interval.

The intervals can be set in seconds, minutes and hours.

  1. SSH to Admin Server and connect to nw-shell.
  2. Connect to metric server using the following command:
    connect metrics-server
  3. Login to nw-shell and enter the username and password.
  4. Navigate to the Elasticsearch using the following command:

    cd /rsa/metrics/elastic/update-interval

  5. Execute the following command to set a common interval for all the services:

    invoke <interval>

    For example, invoke 30seconds

Default Configuration

By default, Health and Wellness (BETA) configurations are applied once the Health and Wellness is enabled successfully. To change the configuration of a service, you need to update the existing configuration. Once the configuration is updated, the service is notified of the changes.

To update the configuration, perform the following:

  1. SSH to Admin Server.
  2. Connect to metrics-server using command:

    Connect metrics-server

  3. Log in using the username and password
  4. To get configuration of a service, execute following commands:

    1. cd /rsa/metrics/elastic/get-config

    2. invoke <service-id>

    Note:
    To get the service id for core services:
    1) Go to ADMIN > Core service.
    2) Click > View > Explore view.
    3) Expand the sys/stats node list.
    4) In the UUID filed, copy the value.
    To get the service id for launch services:
    1) Go to ADMIN > Launch service.
    2) Click > View > Explore view.
    3) Click the process folder.
    4) In the service-id field, copy the value.
    To get the service id for carlos services:
    1) SSH to host in which carlos service is deployed.
    2) Execute the following command:
    For Reporting Engine:
    cat /var/netwitness/re-server/rsa/soc/reporting-engine/service-id
    For Legacy Web Server:
    cat /var/netwitness/uax/service-id

    Note: The core services are Archiver, Broker, Concentrator, Decoder, Log Decoder and Carlos services are Reporting Engine, Legacy Web Server. All the other services that are not included in Core and Carlos services are part of launch services.

  5. Copy the configuration and save it in a file. For example, For reporting-engine service, create a file reporting-engine.json under /root/ and copy the configurations obtained from step 4 and save.
  6. To set configurations for a service:

    1. cd /rsa/metrics/elastic/set-config

    2. invoke –-file <absolute path of the path>

      For example, invoke –-file /root/reporting-engine.json

Data Retention Policy

You can configure the retention policy for monitors (alerts triggered) and metrics based on age and size.

By default, 90 days of data with 100 GB of size for monitors (alerts triggered ) and 30 days of data with 100 GB of size for metrics are retained.

To change the configure for monitors (alerts triggered) retention:

  1. SSH to Admin Server.
  2. connect to metrics-server using nw-shell.
  3. Go to alert-retention-threshold using command:

    cd /rsa/metrics/elastic/data/retention/alert-retention-threshold

  4. Set the value between 1day to 90days.

    For example, set 50days

  5. Restart metrics-server using command:

    service rsa-nw-metrics-server restart

To change the configuration for metrics time threshold:

  1. SSH to Admin Server.
  2. Connect to metrics-server using nw-shell.
  3. Go to time-threshold using command:

    cd /rsa/metrics/elastic/data/retention/time-threshold

  4. Set the value from 1day to 90days.

    For example, set 40days

  5. Restart metrics-server using command:

    service rsa-nw-metrics-server restart

To change the size configuration:

  1. SSH to Admin Server.
  2. Connect to metrics-server using nw-shell.
  3. Go to allocated-size using command:

    cd /rsa/metrics/elastic/data/retention/allocated-size

  4. Set the value.

    For example, set 200GB

  5. Restart metrics-server using command:

    service rsa-nw-metrics-server restart

Note: Make sure the /var/netwitness partition on standalone Health and Wellness has enough disk space. After you review your datastore configuration, you may determine that you need to add a new volume. For more information on adding a new volume, see “Add New Volume and Extend Existing File Systems” topic in the Virtual Host Installation Guide.

You are here
Table of Contents > Health and Wellness > Monitor Health and Wellness using Kibana (BETA) > Managing Dashboards and Alerts

Attachments

    Outcomes