Incident Management Config: Step 2: Configure a Database for the Incident Management Service

Document created by RSA Information Design and Development on Jul 27, 2016Last modified by RSA Information Design and Development on Jul 27, 2016
Version 2Show Document
  • View in full screen mode

This topic provides information on how to configure a database for the Incident Management service.

You have to configure the database for the Incident Management service for it to become usable. The ESA installation creates and secures a database instance for Incident Management service. You have to select one of the ESA servers to act as the database host for Incident Management Service.

Considerations for Choosing the Host for ESA Database

This topic applies if you enable cross-site correlation in ESA.

In ESA, cross-site correlation allows you to create a deployment that includes one set of rules and multiple ESA services. These are the main features of a cross-site correlation deployment:

  1. There is one central ESA service. 
  2. When you deploy rules, ESA services forward relevant events to the central ESA.
  3. The central ESA runs the rules and generates alerts.

If you enable cross-site correlation, there are factors to consider when you choose which ESA to use with Incident Management:

  • Choose an ESA service that is co-located with {{SA} to limit latency for access to MongoDB.
  • Choose the ESA that gets the least traffic.

Note: Do not choose the central ESA because it ingests its own traffic and receives forwarded events from other ESA services.

For more information, see Enable Cross-Site Correlation in the Alerting Using ESA Guide. 


Ensure that an ESA host is installed and configured.

To configure a database for the Incident Management service:

  1. In the Security Analytics menu, select Administration > Services.

    The Services view is displayed.

  2. In the Services panel, select the Incident Management service.
  3. In the Actions column, select View > Explore.

    The Services Explore view is displayed.

  4. In the options panel, select Service > Configuration > database.

    The database view is displayed in the right side panel.


  5. Provide the following information:

    • Host – The hostname or IP address of the ESA host selected as a database
    • DatabaseName – im (this is the default value)
    • Port – 27017 (this is the default value)
    • Username – The username for the user account for the IM database (ESA creates an im user with the right privileges)
    • Password – The password you selected for the im user
  6. Restart the Incident Management service using the following command.

    service rsa-im restart

Note: Restarting the Incident Management service is important for the database configuration to be complete.

You are here: Configure Incident Management > Step 2. Configure a Database for the Incident Management Service