000033427 - How to monitor ESA Rule(s) memory utilization through RSA NetWitness UI

Document created by RSA Customer Support Employee on Jul 20, 2016Last modified by RSA Customer Support on Jul 10, 2019
Version 6Show Document
  • View in full screen mode

Article Content

Article Number000033427
Applies ToRSA Product Set:  Security Analytics
RSA Product/Service Type: Event Stream Analysis
RSA Version/Condition:  10.6.X.X
IssueIn some circumstances, the ESA service stops or the ESA trail rules become disabled due to high memory utilization of the ESA rule.
TasksThe ESA rules utilizing more memory would cause ESA service stability problems and disable trail rules.
Resolution Please use the steps below to identify which ESA rule(s) are utilizing more memory.
  1. Login to the Security Analytics GUI.
  2. Navigate to Administration > Services > Select Explore view of ESA service > Expand CEP folder
  3. Make sure that the below fields highlighted in "red" are all set to "true".
  4. User-added image
  5. SSH to the ESA appliance and restart the ESA-server using the command: service rsa-esa restart.
  6. On the Security Analytics UI go to Administration >  Health & Wellness > System Stats Browser.
  7. Select the options as shown below from the drop-down.
  8. Host = ESA
  9. Component = Event Stream Analytics
  10. Type esa-metrics in the Category field.
  11. Click Apply.
Sample screenshot with mentioned below.
User-added image
      8. Verify the Value column to see the high memory utilization details.  The Corresponding Rule name can be found in the Subitem column.

User-added image
      9. Disable the rule in ESA by navigating to Alerts > Configure page to make ESA service stable.