000032723 - Incident Management becomes unresponsive while loading large number of alerts in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000032723
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics Server, Incident Management
RSA Version/Condition: 10.5.x
Platform: CentOS
Platform (Other): MongoDB
O/S Version: EL6
IssueThe RSA Incident Management (IM) service becomes unresponsive while loading a large number of alerts.
In the Security Analytics UI, Incidents -> Alerts, when a large number of alerts are loading, the screen is unavailable and the error message Unexpected Error: Timer already cancelled is displayed.
User-added image
Then when login to the appliance that is running the Incident Management service, may find the service is not running when using the command:
 service rsa-im status
 RSA Security Analytics Incident Management :: Server is not running.
CauseThis happens when selecting the Time Range "All Data" from the Incidents window in the Security Analytics GUI, Incidents -> Alerts, when there is a large number of alerts in the Incident Management MongoDB database.
ResolutionTo prevent this condition, configure the Incident Management (IM) service to delete alerts and incidents older than a set number of days, to limit the number of alerts in Security Analytics:
1. Log in to the Security Analytics UI.
2. In the main menu, select Incidents -> Configure.
3. Click the Retention Scheduler tab.
4. Click the Enable data retention scheduler check box to enable it.
5. In the Retain alerts and incidents for dialog, set the number of days either by selecting from the dropdown list or manually typing a numeric value.
User-added image
6. Click Apply.
WorkaroundReset the time range in Incident Management to avoid the timeout.
1. Verify if the IM service is running using the command:
 service rsa-im status
If the service is not running, manually start the service using the command:
 service rsa-im start
2. Log in to the Security Analytics UI, and from the main menu, select Dashboard.
3. At the top of the page next to Default Dashboard, click the plus sign (+), and then click Add Dashlet.  
4. In the Type field, select "Incident Queue Activity", then limit the Time Range to a small value, such as "Last 1 Hour", click Add.
5. Verify that the Incident Queue Activity dashlet is loaded. It should be similar to the following example image:
User-added image
6. Click on the displayed Total # of Alerts, Incidents, or Remediation count number to load the Incidents window with a limited amount of data.