000030903 - SA: Deleted rules are incorrectly being triggered in ESA 10.4.X

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000030903
Applies ToRSA Product Set: Security Analytics, ESA
RSA Version/Condition: 10.4.X
IssueIn certain instances, deleted rules may be incorrectly triggering alerts on Security Analytics ESA appliances.
Observe that the rule count differs in GUI->Alert->Configuration, as seen below:
User-added image
CauseAll rules are maintained in the ESA database, and ESA records must be sync'd properly to purge deleted rules.  When ESA 10.4.X synchronization is in inconsistent state, reference records may become orphaned until they are purged.  Until all references of the rules are purged from the database, these deleted rules may still trigger alerts.
ResolutionPlease use attached FixEsaRecords.js script to on the SA server to delete orphaned rules. 

1. Copy the FixEsaRecords.js to SA server using any secure scp tool to the /root directory.
2. Now, ssh to the SA server as root, cd /root, and execute the script as shown with the syntax below:
        mongo localhost:27017/sa < FixEsaRecords.js 
3. After running the script, the rule count should reflect an accurate match in the SA UI.