|Applies To||RSA Product Set: RSA Security Analytics |
RSA Product/Service Type: Packet Decoder, Log Decoder, Concentrator, Archiver
RSA Version/Condition: 10.4.x,10.5.x,10.6.x
O/S Version: EL6
|Issue||By default, database configuration is set in a way that once metadb/sessiondb/packetdb/indexdb reaches 95%, the data roll over should start.|
Sometimes it has been observed that roll over doesn't take place exactly at 95% and we get below alarm on SA :
“High Filesystem Usage”
|Resolution||The usage of metadb/sessiondb/packetdb/indexdb which even if grows beyond the configured size is a normal scenario as long as rollover is occurring automatically before the filesystem fills, it is functioning as designed.|
As rollover is not that precise and rollover is only active once the usage exceeds the specified size threshold, and only is activated periodically, rather than instantaneously.
So,it seems rollover starts periodically and in that mean time db grows more than 95%.
So, we can ignore “High Filesystem Usage” alarms as the functionality and services are not affected.
To stop the alarms from triggering in such scenarios, we can edit the alarm as below :
1)Disable the default Policy “SA Monitoring Policy”
2)Create a duplicate rule.
3)Enable the duplicate rule.
4)Edit it to set the threshold for “High Filesystem Usage” and set it to higher value or change the threshold time to a higher value.