000030418 - When navigating through various "Event Sources" under "Event Monitoring System" in the Security Analytics 10.4.X UI, some duplicate records may be found

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000030418
Applies ToSecurity Analytics UI 10.4.X
CauseWhen navigating through various Event Sources under Event Monitoring System, some duplicate records may be found.  Some of these records are correctly parsed but others are incorrectly parsed (under either "unknown" or "different" device types, as shown in the example below) . This is typically due to a known historical parsing issues where the Event Source may have been parsed incorrectly at the time of deployment.

User-added image
ResolutionTo rectify this issue, remove the duplicates by clearing the LogStats of the LogDecoder.  This results in clearing all entries in ESM. Once this occurs, all new correctly parsed entries will be populated properly and all duplicates will be cleared.
1. In SA UI, select the LogDecoder and go to Explore view. 
2. Right click on decoder and select Properties. 
3. In the drop-down list, select “logStats”. Click Send to confirm that duplicate data (similar what is seen in ESM tab) is shown. 
4. Then, enter “op=clear” in Parameters and click Send again. The data will be cleared in the Log Decoder.
5. Upon restart of the SMS service the incorrectly parsed data will clear. From the command line via ssh, issue “service rsa-sms restart”.