000032723 - RSA NetWitness Logs & Network Incident Management becomes unresponsive while loading large number of alerts

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Apr 18, 2019
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000032723
Applies ToRSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: NetWitness Logs & Network Server, Incident Management
RSA Version/Condition: 10.6.x
Platform: CentOS
Platform (Other): MongoDB
O/S Version: EL6
IssueThe RSA Incident Management (IM) service becomes unresponsive while loading a large number of alerts.

In the NetWitness UI, Incidents > Alerts, when a large number of alerts are loading, the screen is unavailable and the error message Unexpected Error: Timer already canceled is displayed.

User-added image

Then after login to the appliance that is running the Incident Management service, may find the service is not running when using the command:

 service rsa-im status

RSA Security Analytics Incident Management:: Server is not running.
CauseThis happens when selecting the Time Range "All Data" from the Incidents window in the NetWitness, Incidents > Alerts, when there is a large number of alerts in the Incident Management MongoDB database.
ResolutionTo prevent this condition, configure the Incident Management (IM) service to delete alerts and incidents older than a set number of days, to limit the number of alerts in the NetWitness Incident Management MongoDB database:
  1. Log in to the NetWitness UI.
  2. In the main menu, select Incidents > Configure
  3. Click the Retention Scheduler tab.
  4. Click the Enable data retention scheduler checkbox to enable it.
  5. In the Retain alerts and incidents for dialog, set the number of days either by selecting from the dropdown list or manually typing a numeric value.
    User-added image
  6. Click Apply.
WorkaroundReset the time range in Incident Management to avoid the timeout error message.
  1. Verify if the IM service is running by using the command:
     service rsa-im status

    If the service is not running, manually start the service using the command:
     service rsa-im start

  2. Log in to the NetWitness UI, and from the main menu, select Dashboard.
  3. At the top of the page next to Default Dashboard, click the edit pad with the pencil icon, and then click Add Dashlet.  
  4. In the Type field from the dropdown, select "Incident Queue Activity", then limit the Time Range to a small value, such as "Last 1 Hour", click Add.
  5. Verify that the Incident Queue Activity dashlet is loaded. It should be similar to the following example image:
    User-added image
  6. Click on a displayed "Total # of Alerts", "Total # of Incidents", or "Total # of Remediation" count number to load the Incidents window with a limited amount of data.  The Incident > Alert page should open with a custom Time Range of "1 hour" from the Dashlet instead of "All Data".