|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: Incident Management (IM), Security Analytics Server, Event Stream Analysis (ESA)
RSA Version/Condition: 10.5.x
Platform (Other): MongoDB
O/S Version: EL6
|Tasks||This article addresses how to delete the Incident Management (IM) database that has been populated by old events over time which aren't needed anymore.|
To accomplish this, you will need SSH access to the ESA appliance as the root user.
|Resolution||The IM database resides on the ESA appliance. Connect to the ESA appliance via SSH as the root user and perform the following:|
mongo im -u im -p im
This will remove the events shown in the alerts tab of the Incident Management Module (IM) module. Then to verify, issue the commands below.
This will remove the events shown in the Incidents tab of the Incident Management Module (IM).
A service restart may be needed if the change doesn't reflect in the Security Analytics UI. To restart the IM Service, connect to the Security Analytics Server via SSH as the root user and enter the following commands:
service rsa-im stop
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.