000031814 - How to delete the Incident Management (IM) database in RSA Security Analytics 10.5

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000031814
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Incident Management (IM), Security Analytics Server, Event Stream Analysis (ESA)
RSA Version/Condition: 10.5.x
Platform: CentOS
Platform (Other): MongoDB
O/S Version: EL6
TasksThis article addresses how to delete the Incident Management (IM) database that has been populated by old events over time which aren't needed anymore.
To accomplish this, you will need SSH access to the ESA appliance as the root user.
ResolutionThe IM database resides on the ESA appliance. Connect to the ESA appliance via SSH as the root user and perform the following:
mongo im -u im -p im
db.alert.count()
db.alert.remove()
db.alert.count()

This will remove the events shown in the alerts tab of the Incident Management Module (IM) module. Then to verify, issue the commands below.
db.incident.count()
db.incident.remove()
db.incident.count()

This will remove the events shown in the Incidents tab of the Incident Management Module (IM).
A service restart may be needed if the change doesn't reflect in the Security Analytics UI. To restart the IM Service, connect to the Security Analytics Server via SSH as the root user and enter the following commands:
service rsa-im stop
service rsa-im start


If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.

Attachments

    Outcomes