This topic tells ESA rule writers how to view memory metrics for rules. You can see estimated memory usage for each rule running on a server, and you can use this information to modify your rule statements and conditions if they use too much memory.
Rules can sometimes consume more memory than you expect, causing your ESA to slow down or stop. To see approximately how much memory a rule is using, you can configure memory metrics. Memory metrics allow you to view an estimated memory usage for each rule in the Health & Well System Stats browser (so you will need permissions to access this module). You can use this information to modify your rules to be more efficient.
At a high level, you will need to complete the following steps to use the memory metrics to troubleshoot memory usage for rules:
- Ensure that the memory metrics feature is enabled (via Explorer > CEP > Metrics > EnableStats). The Memory Metrics feature is enabled by default.
- Ensure you have the correct permissions to view the Health & Wellness module. For information on roles and permissions, see Role Permissions.
- View the memory statistics in Health & Wellness.
- (Recommended) Configure Health & Wellness ESA policies to send an email if memory thresholds are exceeded. See Manage Policies for instructions on sending email notifications.
- Use the memory metrics data to modify rules to be more efficient, if necessary.
- Memory Metrics feature is enabled (via Explorer > CEP > Metrics > EnableStats).
- The user must have the appropriate permissions to view Health & Wellness statistics.
- (Recommended) Configure the ESA Health & Wellness policy to send an email when memory thresholds are exceeded.
View Memory Metrics in the Health & Wellness System Monitoring Module
- In the Security Analytics menu, go to Administration > Health & Wellness > ESA > System Monitoring
- View the details for your ESA service.
- Select Rules.
- You can view the average memory usage for each rule for the previous hour.
View Memory Metrics in the Health & Wellness System Stats Browser
- In the Security Analytics menu, go to Administration > Health & Wellness > System Stats Browser.
- For component, select Event Stream Analysis. For category, enter ESA-Metrics.
The name of the rule is displayed in the Subitem field, and the memory usage is displayed in the Value column.
- To view the historical memory usage for the rule, click on the Historical Graph icon.
Note: The Last Update field reflects when Health & Wellness polls ESA. However, the Memory Metrics is not synchronized with the Health & Wellness polling. For example, if the memory threshold is exceeded on 10/10/15 at 12 p.m., but Health & Wellness polls at 10/10/15 at 12:10 p.m., the Last Update field will display a timestamp of 10/10/15 12:10 p.m.
Enable or Disable the Memory Metrics Feature
- In the Security Analytics menu, go to Administration > Services and select your ESA.
- Once you've selected your ESA, click on Actions > View> Explore, and navigate to CEP Metrics> Configuration as shown below.
- Change the field EnabledStats to true or false depending on whether you want to enable or disable the memory metrics feature.