000029538 - How to delete a single event source from Event Source Monitoring in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000029538
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics UI, Event Source Monitoring (ESM)
RSA Version/Condition: 10.4.x, 10.5.x
Platform: CentOS
O/S Version: EL6
IssueIf a device is moved from one log decoder to another, then the entry for that device will remain under the event source monitoring statistics. 
User-added image
ResolutionUnfortunately it is not possible to delete a single device from Event Source Monitoring statistics in versions previous to 10.6 (in versions 10.6 or later, individual devices can be removed from Administration -> Event Sources and will be cleared from the Event Source Monitoring page after restarting collectd and rsa-sms services on the SA Server).
The following steps explain how to remove all log statistic information for all devices associated with a particular log decoder.

  1. SSH to the Log Decoder
  2. Stop collectd on Log Decoder using command /etc/init.d/collectd stop
  3. Delete the Log Stats data from Log Decoder. In the SA GUI Navigate to Log Decoder -> System and Click on Reset Log Stats

    User-added image

  4. SSH to the SA Server and restart the sms service on sa server(service rsa-sms restart)
  5. SSH To the Log Decoder and start the collectd service on log decoder((/etc/init.d/collectd start)
The following steps should be used on a 10.5+ System
  1. Clear the logStats on each of the LDs (Through the GUI - > Log Decoder ->System -> Reset Log Stats) 
  2. Stop collectd service on SA (service collectd stop) 
  3. Stop SMS on SA (service rsa-sms stop) 
  4. Delete the ESM Aggregator cache - /var/lib/netwitness/collectd/ESMAggregator on the SA Server 
  5. Start collectd service on SA Server (service collectd start) 
  6. Restart SMS on SA Server (service rsa-sms start)