000031814 - How to delete entries from the Incident Management (IM) database in RSA Security Analytics 10.x

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Oct 17, 2018
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000031814
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Incident Management (IM), Event Stream Analysis (ESA)
RSA Version/Condition: 10.5.x, 10.6.x
Platform: CentOS
Platform (Other): MongoDB
O/S Version: EL6
TasksThis article addresses how to delete events in the Incident Management (IM) database that has been populated by old events over time which aren't needed anymore.
To accomplish this, you will need SSH access to the ESA appliance as the root user.
ResolutionThe IM database resides on the ESA appliance. Connect to the ESA appliance via SSH as the root user and perform the following:

Log into the mongo IM database

mongo im -u im -p im

Check how many alerts are present in the alert collection

> db.alert.count()

Removing Alerts shown in Incident \ Alerts of Incident Management from Mongo

Example Command 1) The following command would remove alerts by time range (between 1st/Nov/2000 and 1st/Dec/2000)

> db.alert.remove({receivedTime: { $gte: ISODate('2000-11-01'), $lt: ISODate('2000-12-01') }})

Example Command 2) The following command will remove ALL alerts from IM alert collection

> db.alert.remove({})

Can confirm the number of records after removal

> db.alert.count()

As per KB # 000032518 - Incidents page fails to load due to huge number of alerts waiting to be processed in RSA Security Analytics 10.5

If the size of the alert collection is of concern, then you may need to reduce using:

> db.alert.reIndex()

Note: If you remove entries from the collection without reducing reIndex, the size of collection may remain the same after remove as seen in show collections

Removing Incidents shown in Incident \ Queue of Incident Management

The following will remove ALL incidents from the from IM incidents collection

> db.incident.count()
> db.incident.remove({})
> db.incident.count()

If the size of the incident collection is of concern, then you may need to reduce using:

> db.incident.reIndex()

A service restart may be needed if the change doesn't reflect in the Security Analytics UI. To restart the IM Service, connect to the Security Analytics Server via SSH as the root user and enter the following commands:

service rsa-im stop
service rsa-im start

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.

In 10.6.X there are options to delete single alerts from IM or delete by time range through the Web UI:

Delete IM Alerts: 10.6.x Product Documentation Reference: https://community.rsa.com/docs/DOC-84518
Delete IM Incidents: 10.6.x Product Documentation Reference: https://community.rsa.com/docs/DOC-84496