|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: Security Analytics UI, Event Source Monitoring (ESM)
RSA Version/Condition: 10.4.x, 10.5.x, 10.6.x
O/S Version: EL6
|Issue||If a device is moved from one log decoder to another, then the entry for that device will remain under the event source monitoring statistics, as well as on the Event Sources tab.|
Old event source hosts that were removed also gets stale in ESM and Event Sources tab.
They may return if not cleaned up properly.
|Resolution||In versions 10.6 or later, individual devices can be removed from Administration -> Event Sources and will be cleared from the H&W - Event Source Monitoring page after restarting rsa-sms services on the SA Server.|
Additional steps below may need to be done to ensure the old event sources does not return to the database and show up again in the UI, triggering false notifications (if enabled).
The following steps explain how to remove all log statistics information for all devices on the log decoders and enable them to generate only new/current log statistics:
Unfortunately it is not possible to delete a single device from Event Source Monitoring statistics in versions previous to 10.6.
- SSH to the Log Decoders or VLCs
- Get and take note of their node_IDs <logdecoder UUID> by running the script, /etc/puppet/scripts/node_id.py or if a VLC, take note of their hostnames
- Delete the Log Stats data from Log Decoder. In the SA GUI Navigate to Log Decoder -> System and Click on Reset Log Stats
- SSH to the SA Head, stop the following services by: /etc/init.d/puppet stop; /etc/init.d/collectd stop
- Do this for each of the LD UUIDs or VLC hostnames: cd /var/lib/netwitness/collectd/rrd/<logdecoder UUID or VLC hostname>/esm_update-<device type of event source being removed>, mv esm_counter-<IP of event source or hostname>.rrd /tmp
- Remove the ESM Aggregator cache by: mv /var/lib/netwitness/collectd/ESMAggregator /tmp
- Delete the specific old or stale Event Sources from the UI via: Administration -> Event Sources -> Manage tab
- Start the services by: /etc/init.d/puppet start; /etc/init.d/collectd start
- Restart rsa-sms by: service rsa-sms restart
- Wait for the services to start up and stabilize
The following steps should be used on a 10.5+ System
- Clear the logStats on each of the LDs (Through the GUI - > Log Decoder ->System -> Reset Log Stats)
- Stop collectd service on SA (service collectd stop)
- Stop SMS on SA (service rsa-sms stop)
- Delete the ESM Aggregator cache - /var/lib/netwitness/collectd/ESMAggregator on the SA Server
- Start collectd service on SA Server (service collectd start)
- Restart SMS on SA Server (service rsa-sms start)