|Applies To||RSA Product Set: RSA Security Analytics|
RSA Product/Service Type: Event Stream Analysis
RSA Version/Condition: 10.4.x, 10.5.x, 10.6.x
|Issue||ESA is triggering alerts for old logs from the Concentrator. This can be because the ESA is unable to consume the logs in real time.|
|Tasks||This article describes the steps to check if the ESA is falling behind.|
|Resolution||Connect to the ESA appliance via SSH as the root user and run the commands below.|
NOTE: The commands in RED are user inputs and the ones in BLACK are system outputs.
[root@ESA]# /opt/rsa/esa/client/bin/esa-client --profiles carlos
NOTE: The last command is get <space> <dot>
The commands above will provide an output as shown below and the sessionsBehind value will indicate if the ESA is behind the Concentrator or not.
"name" : "10.xx.xx.xx:56005",
|Notes||Please follow the instructions in the article 000029735 to clear the backlog so that ESA starts consuming from the current session.|