ESM: Negative Policy Numbering

Document created by RSA Information Design and Development Employee on Apr 1, 2016Last modified by RSA Information Design and Development Employee on Sep 19, 2016
Version 3Show Document
  • View in full screen mode

You may see negative numbers in the Order field in the Groups section of the Monitoring Polices tab. This topic describes a workaround to restore the correct numbering scheme for your policies.


The following screen shows an example of the situation where the numbers of group polices become negative.


If you encounter this situation, drag and drop the top group (All Unix Event Source(s) in the above image) to after the last group (Ciscoasa_Alarm14417). This restores normal, ordinal numbering. You can then continue to drag and drop groups until you have them in their proper order for your organization.

Clean Up Duplicate Messages

  1. Stop collectd on Security Analytics and Log Decoders:

    Service collectd stop

  2. Remove the ESM Aggregator persisted file on Security Analytics:

    rm /var/lib/netwitness/collectd/ESMAggregator

  3. Reset the Log Decoder.

    1. Navigate to the Log Decoder REST, at http://<LD_IP_Address>:50102
    2. Click decoder(*) to view the properties for the decoder.
    3. In the Properties drop-down menu, select reset, then click Send.
  4. In the Event Sources panel from the Event Sources Manage tab, select all event sources and then click - to remove them.
You are here: Troubleshooting > Negative Policy Numbering