000030375 - After configuring MongoDB for Incident Management in RSA Security Analytics 10.4.x and above the rsa-im service must be restarted manually

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000030375
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Incident Management, Security Analytics Server
RSA Version/Condition: 10.4.x, 10.5.x
Platform: CentOS
Platform (Other): MongoDB
O/S Version: EL6
IssueAfter configuring MongoDB for the Incident Management module in Security Analytics, it is necessary for the user to manually restart the rsa-im service for the change to take effect.
If the service is not restarted, the alert pipeline will function, as will the Incident Management module in the UI, but the rule engine will not execute.
CauseThe rule engine will not function properly without restarting the rsa-im service because reference data such as categories and default rules will not be loaded.  The indexes will also not be created.
WorkaroundIn order to allow the Incident Management to be fully functional, connect to the Security Analytics server appliance and restart the rsa-im service manually as shown below.
[root@SA-Server ~]# service rsa-im restart
Stopping RSA Security Analytics Incident Management :: Server...
Stopped RSA Security Analytics Incident Management :: Server.
Starting RSA Security Analytics Incident Management :: Server...
[root@SA-Server ~]#

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.

Attachments

    Outcomes