|Applies To||RSA Product Set: NetWitness Logs & Network|
RSA Product/Service Type: NetWitness Logs & Network Server, Incident Management
RSA Version/Condition: 10.6.x
Platform (Other): MongoDB
O/S Version: EL6
|Issue||The RSA Incident Management (IM) service becomes unresponsive while loading a large number of alerts.|
In the NetWitness UI, Incidents > Alerts, when a large number of alerts are loading, the screen is unavailable and the error message Unexpected Error: Timer already canceled is displayed.
Then after login to the appliance that is running the Incident Management service, may find the service is not running when using the command:
service rsa-im status
RSA Security Analytics Incident Management:: Server is not running.
|Cause||This happens when selecting the Time Range "All Data" from the Incidents window in the NetWitness, Incidents > Alerts, when there is a large number of alerts in the Incident Management MongoDB database.|
|Resolution||To prevent this condition, configure the Incident Management (IM) service to delete alerts and incidents older than a set number of days, to limit the number of alerts in the NetWitness Incident Management MongoDB database:|
|Workaround||Reset the time range in Incident Management to avoid the timeout error message.|