|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: Security Analytics Server, Incident Management
RSA Version/Condition: 10.5.x
Platform (Other): MongoDB
O/S Version: EL6
|Issue||The RSA Incident Management (IM) service becomes unresponsive while loading a large number of alerts.|
In the Security Analytics UI, Incidents -> Alerts, when a large number of alerts are loading, the screen is unavailable and the error message Unexpected Error: Timer already cancelled is displayed.
Then when login to the appliance that is running the Incident Management service, may find the service is not running when using the command:
service rsa-im status
RSA Security Analytics Incident Management :: Server is not running.
|Cause||This happens when selecting the Time Range "All Data" from the Incidents window in the Security Analytics GUI, Incidents -> Alerts, when there is a large number of alerts in the Incident Management MongoDB database.|
|Resolution||To prevent this condition, configure the Incident Management (IM) service to delete alerts and incidents older than a set number of days, to limit the number of alerts in Security Analytics:|
1. Log in to the Security Analytics UI.
2. In the main menu, select Incidents -> Configure.
3. Click the Retention Scheduler tab.
4. Click the Enable data retention scheduler check box to enable it.
5. In the Retain alerts and incidents for dialog, set the number of days either by selecting from the dropdown list or manually typing a numeric value.
6. Click Apply.
|Workaround||Reset the time range in Incident Management to avoid the timeout.|
1. Verify if the IM service is running using the command:
service rsa-im status
If the service is not running, manually start the service using the command:
service rsa-im start
2. Log in to the Security Analytics UI, and from the main menu, select Dashboard.
3. At the top of the page next to Default Dashboard, click the plus sign (+), and then click Add Dashlet.
4. In the Type field, select "Incident Queue Activity", then limit the Time Range to a small value, such as "Last 1 Hour", click Add.
5. Verify that the Incident Queue Activity dashlet is loaded. It should be similar to the following example image:
6. Click on the displayed Total # of Alerts, Incidents, or Remediation count number to load the Incidents window with a limited amount of data.