000029123 - RSA Security Analytics report fails with error message:  The query was auto-canceled by the system for exceeding time usage limits

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support on Oct 14, 2020
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000029123
Applies ToRSA Product Set: RSA Security Analytics
RSA Product/Service Type: Reporting Engine
RSA Version/Condition: 10.3.x,10.4.x,10.5.x,10.6.x, 11.x
Platform: Platform (Other): CentOS
 
IssueUnable to run reports and the device log displays timeout error messages.

Looking at /var/log/messages shows:


The query was auto-cancelled by the system for exceeding time usage limits. Query running time was 00:20:00 (HH:MM:SS).


 



 
CauseThe query timeout value set for the user is too low to run large reports.
ResolutionYou may need to update the Query Level settings for the user who is running the report to 1 or 2. Follow the steps below, depending on the version:

10.3.x



  1. In the Security Analytics menu, select Administration > Devices.
  2. Select the Device (for example Concentrator) and View > Security.
  3. Select the User and change the Query Level settings to 1 or 2.

10.4.x



  1. In the Security Analytics menu, select Administration > System > Security.
  2. Select the user and click the edit icon from the action bar.
  3. Select the Attributes tab and change the SA Core Query Level to 1 or 2.

10.5.x and 10.6.x



  1. In the Security Analytics menu, select Administration Security.
  2. Select the user and click the edit icon from the action bar.
  3. Select the Attributes tab and change the SA Core Query Level to 1 or 2.

11.x Query and Session Attributes


Please refer to the below documentation links to set the Role or User Attributes:
 
Sec/User Mgmt: Verify Query and Session Attributes per Role ---  https://community.rsa.com/docs/DOC-96533
Sec/User Mgmt: Set Up Users  ---  https://community.rsa.com/docs/DOC-96509
 

NOTE: If a user is a member of multiple roles or have its specifices set, the following logic applies for the user:



  • Query Timeout: The most permissive (highest) value of all assigned roles or user setting is applied to the user.
  • Query Prefix: The query prefixes of each of the user roles are AND'd together.
  • Session Threshold: The highest value of all the assigned roles is applied to the user.



 
NotesThe query timeout for a user is controlled by the Query Level settings. The Query Level setting assigns the query level that the user will have for every query they perform. These influence whether their queries are limited by the query.level.1.minutes, query.level.2.minutes or query.level.3.minutes. 

The default values for the following query levels are:
1 = 60 minutes (query.level.1.minutes)
2 = 40 minutes (query.level.2.minutes)
3 = 20 minutes (query.level.3.minutes)


The above default 60/40/20 minutes can be changed from the Device Explore page under SDK > Config tree.

Attachments

    Outcomes