000029538 - How to delete a single event source from Event Source Monitoring in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jul 11, 2018
Version 7Show Document
  • View in full screen mode

Article Content

Article Number000029538
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics UI, Event Source Monitoring (ESM)
RSA Version/Condition: 10.4.x, 10.5.x, 10.6.x
Platform: CentOS
O/S Version: EL6
IssueIf a device is moved from one log decoder to another, then the entry for that device will remain under the event source monitoring statistics, as well as on the Event Sources tab.
Old event source hosts that were removed also gets stale in ESM and Event Sources tab.
They may return if not cleaned up properly.

User-added image
ResolutionIn versions 10.6 or later, individual devices can be removed from Administration -> Event Sources and will be cleared from the H&W - Event Source Monitoring page after restarting rsa-sms services on the SA Server.
Additional steps below may need to be done to ensure the old event sources does not return to the database and show up again in the UI, triggering false notifications (if enabled).

The following steps explain how to remove all log statistics information for all devices on the log decoders and enable them to generate only new/current log statistics:

  1. SSH to the Log Decoders or VLCs
  2. Get and take note of their node_IDs <logdecoder UUID>  by running the script, /etc/puppet/scripts/node_id.py or if a VLC, take note of their hostnames
  3. Delete the Log Stats data from Log Decoder. In the SA GUI Navigate to Log Decoder -> System and Click on Reset Log Stats

    User-added image

  4. SSH to the SA Head, stop the following services by:  /etc/init.d/puppet stop; /etc/init.d/collectd stop
  5. Do this for each of the LD UUIDs or VLC hostnames: cd /var/lib/netwitness/collectd/rrd/<logdecoder UUID or VLC hostname>/esm_update-<device type of event source being removed>,  mv esm_counter-<IP of event source or hostname>.rrd /tmp
  6. Remove the ESM Aggregator cache by: mv /var/lib/netwitness/collectd/ESMAggregator /tmp
  7. Delete the specific old or stale Event Sources from the UI via:   Administration -> Event Sources -> Manage tab
  8. Start the services by:  /etc/init.d/puppet start; /etc/init.d/collectd start
  9. Restart rsa-sms by:  service rsa-sms restart
  10. Wait for the services to start up and stabilize
Unfortunately it is not possible to delete a single device from Event Source Monitoring statistics in versions previous to 10.6. 
The following steps should be used on a 10.5+ System
  1. Clear the logStats on each of the LDs (Through the GUI - > Log Decoder ->System -> Reset Log Stats) 
  2. Stop collectd service on SA (service collectd stop) 
  3. Stop SMS on SA (service rsa-sms stop) 
  4. Delete the ESM Aggregator cache - /var/lib/netwitness/collectd/ESMAggregator on the SA Server 
  5. Start collectd service on SA Server (service collectd start) 
  6. Restart SMS on SA Server (service rsa-sms start)