000029802 - How to configure automated ESA storage maintenance in RSA Security Analytics 10.4

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000029802
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Event Stream Analysis (ESA), Security Analytics UI
RSA Version/Condition: 10.4.x
Platform: CentOS
O/S Version: EL6
IssueWhen the number of alerts stored in the ESA database have reached such a high quantity that the database size becomes very large, performance can be negatively impacted.
TasksIn order to ensure that the ESA alerts database remains at a manageable size that does not negatively affect performance, it is possible to configure automatic maintenance on the ESA appliance, which will periodically remove alerts when specific user-defined thresholds are exceeded.
To configure ESA maintenance, follow the steps below.
  1. In the Security Analytics UI, navigate to Administration -> Services.
  2. Select the ESA appliance, click on the red Actions button in the far right column, and select View -> Explore.
  3. In the directory tree in the Explore view, expand the Alert directory followed by the Storage directory.
  4. Click on the maintenance directory.  Options for ESA maintenance will be displayed in the right pane.
  5. Modify the DatabaseDiskUsageLimitInMBDaysToDeleteWhenLimitExceeded, Schedule, and/or KeepAlertsForDays values to be what you desire.
  6. Change the value for Enabled to be true rather than false.
Once the changes have been applied, click on the maintenance folder again to refresh the values.  After a moment, the NextMaintenanceScheduledAt value should display the date and time of the next maintenance run that will be performed, as shown in the screenshot below.
User-added image

The maintenance status can also be monitored in the /opt/rsa/esa/logs/esa.log file on the ESA appliance, which will display messages similar to the example below.
 
2015-03-12 09:46:48,197 [Carlos@65dd6c04-56] INFO  com.rsa.netwitness.carlos.config.ConfigurationMXBean - MongoStorageMaintenance changed by admin

2015-03-12 09:46:51,121 [scheduler_Worker-1] INFO  com.rsa.netwitness.core.alert.dispatch.SQLStorageMaintenance - Starting the scheduled database maintenance job with policy {keepAlertForDays=30, maxDiskUsageInMb=5120}

2015-03-12 09:46:51,122 [Carlos@3801f0b3-58] INFO  com.rsa.netwitness.core.alert.dispatch.SQLStorageMaintenance - Scheduled a database maintenance job with policy {keepAlertForDays=30, maxDiskUsageInMb=5120} to run at 2/28/15 2:00 AM

2015-03-12 09:46:51,129 [Carlos@3801f0b3-58] INFO  com.rsa.netwitness.carlos.config.ConfigurationMXBean - MongoStorageMaintenance changed by admin

2015-03-12 09:46:51,133 [scheduler_Worker-1] INFO  com.rsa.netwitness.core.alert.dispatch.SQLStorageMaintenance - Finished the database maintenance job, deleted 0 partitions, next run scheduled at 3/14/15 2:00 AM


If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.
NotesCAUTION:
A defect exists in Security Analytics 10.4.1 and below that incorrectly reports the database size once it exceeds 1.99 GB.  This issue is permanently resolved in Security Analytics 10.4.1.1.  
Until that version can be applied, ESA maintenance should be configured using the KeepAlertsForDays value rather than the DatabaseDiskUsageLimitInMB value.
Parameters:
DatabaseDiskUsage: (read-only) current database size
HaveAlertForDays: (read-only) current number of alerts in days
KeepAlertsForDays: number of days to keep the alerts in the database before they are removed
DatabaseDiskUsageLimitInMB: database size threshold; when exceeded, alerts will be deleted
DaysToDeleteWhenLimitExceeded: number of days to remove when DatabaseDiskUsageLimitInMB is exceeded
Schedule: cron schedule for running the alert maintenance job.

Attachments

    Outcomes