|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: Event Stream Analysis
RSA Version/Condition: 10.4.x
O/S Version: EL6
|Issue||Consider the following scenario: A device that is configured to forward event to ESA has been down for a substantial period of time, and millions of events have accumulated. By the time the situation with the device is rectified, an exorbitant number of events may need to be processed. This can lead to a flood of events sent all at once to the ESA server which may have debilitating effects on performance . Moreover, the historic alerts in situations of this nature typically contain repetitive information that is not needed.|
|Resolution||In situations such as those described, or when other circumstances dictate limiting the events sent by time, follow these steps to aggregate ESA events to the current time:|
Navigate to Administration > Services then from the services list, select ESA then Actions> View > Explore.
From the section of the left of the page, navigate to Workflow> Source> nextgenAggregationSource
Then find the field that says “AggregationURIs” and delete its value. Once the change is applied, a popup with "Configuration is successfully updated" will appear.
This will remove all the sources from ESA as well as their bookmarks for last current sessions. Because of this, the sources will have to be added again on ESA config page.