000032858 - How to check if Event Stream Analysis (ESA) is falling behind concentrators in RSA Security Analytics

Document created by RSA Customer Support Employee on Jul 3, 2016Last modified by RSA Customer Support Employee on Aug 1, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000032858
Applies ToRSA Product Set: RSA Security Analytics
RSA Product/Service Type: Event Stream Analysis
RSA Version/Condition: 10.4.x, 10.5.x, 10.6.x
IssueESA is triggering alerts for old logs from the Concentrator. This can be because the ESA is unable to consume the logs in real time.
TasksThis article describes the steps to check if the ESA is falling behind.
ResolutionConnect to the ESA appliance via SSH as the root user and run the commands below.
NOTE: The commands in RED are user inputs and the ones in BLACK are system outputs.

[root@ESA]# /opt/rsa/esa/client/bin/esa-client --profiles carlos
RemoteJmsDirectEndpoint { jms://localhost:50030?carlos.useSSL=true } ; running = true
carlos:localhost||jmx:localhost:com.rsa.netwitness.esa:/>cd nextgen
carlos:localhost||jmx:localhost:com.rsa.netwitness.esa:/Workflow/Source/nextgenAggregationSource>get .

NOTE: The last command is get <space> <dot>

The commands above will provide an output as shown below and the sessionsBehind value will indicate if the ESA is behind the Concentrator or not.
"name" : "10.xx.xx.xx:56005",
    "note" : "",
    "sessionId" : 24462390949,
    "sessionsBehind" : 58501036,
    "state" : "IDLE_QUEUED",
    "status" : "Streaming",
    "time" : 1459508373000
  }, {
    "filterCount" : 0,
    "name" : "10.xx.xx.xx:56005",
    "note" : "",
    "sessionId" : 34177054228,
    "sessionsBehind" : 149462451,
    "state" : "IDLE_QUEUED",
    "status" : "Streaming",
    "time" : 1459507000000
NotesPlease follow the instructions in the article 000029735 to clear the backlog so that ESA starts consuming from the current session.