000030578 - False appliance down status being reported when 35K plus events are in the RabbitMQ queue for RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000030578
Applies ToRSA Product Set: Security Analytics

RSA Product/Service Type: Security Analytics UI, Broker, Log/Packet Concentrator, Log/Packet Decoder, Archiver, Event Stream Analysis (ESA), Remote Log Collector

RSA Version/Condition:

Platform: CentOS

O/S Version: EL6
IssueSecurity Analytics shows a false host down status when there are a large number of events (35,000 events or more) queued up in the Rabbit MQ queue. Security Analytics looks for larger than normal time gaps in update statistics from each host. When a larger than normal gap is detected for a host, this triggers the Health & Wellness Host Unreachable alarm as defined in the SA Host Monitoring Policy.
A false positive condition can occur when the number of statistical messages in the message queue backs up and are unable to be processed in real time. If this occurs, the
Host Unreachable alarm can trigger for all hosts.
ResolutionThis issue has been permanently resolved in Security Analytics