on Jun 14, 2016Article Content
| Article Number | 000032518 |
| Applies To | RSA Product Set: RSA Security Analytics RSA Version/Condition: 10.5.x |
| Issue | Incidents page on the User Interface (UI) shows as blank. Even though rsa-im service is running, the Administration -> Services Page shows it as down  |
| Cause | This can happen when the Incident Management (IM) database grows to an extend that it crashes the IM service. The database size may be huge because of the number of alerts that are coming in are too high. |
| Resolution | Stop the Incident Management service with the following command:# service rsa-im stop Check the current size of the IM databse with the following command: # mongo im -u im -p im Remove old alerts from database with the following command by changing the date accordingly: > db.alert.remove({receivedTime : { $gte: ISODate('2016-01-01'), $lt: ISODate('2016-02-02')}})Once removed, re-index the database to free up space: > db.alert.reIndex() Once the database is cleared, check the rabbitmq queue for im.alert_queue. Access the RabbitMQ web interface following the instructions in the article entitled How to access the RabbitMQ web interface to monitor and troubleshoot the event broker on an RSA Security Analytics Log Collector. In the Web Interface, click on the im.alert.queue.  Check the number of queues messages. If the number is above 100,000 , the IM service may crash again after the restart. To purge the queue, scroll down and click on the "Purge" button. NOTE: Any purged messages cannot be retrieved Once the queue is purged, start the IM service on the SA head using the following command: # service rsa-im start |
| Notes | The RabbitMQ web interface should be opened from the SA server. |