000029735 - How to aggregate events from the current time in Security Analytics ESA

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000029735
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Event Stream Analysis 
RSA Version/Condition: 10.4.x
Platform: CentOS
O/S Version: EL6
IssueConsider the following scenario: A device that is configured to forward event to ESA has been down for a substantial period of time, and millions of events have accumulated.  By the time the situation with the device is rectified, an exorbitant number of events may need to be processed. This can lead to a flood of events sent all at once to the ESA server which may have debilitating effects on performance . Moreover, the historic alerts in situations of this nature typically contain repetitive information that is not needed.
ResolutionIn situations such as those described, or when other circumstances dictate limiting the events sent by time, follow these steps to aggregate ESA events to the current time:
Navigate to Administration > Services then from the services list, select ESA then Actions> View > Explore.
From the section of the left of the page, navigate to Workflow> Source> nextgenAggregationSource
Then find the field that says “AggregationURIs” and delete its value. Once the change is applied, a popup with "Configuration is successfully updated" will appear.
User-added image
This will remove all the sources from ESA as well as their bookmarks for last current sessions. Because of this, the sources will have to be added again on ESA config page.