000033628 - Usage of metadb/sessiondb/packetdb/indexdb sometimes grows beyond 95% in RSA Security Analytics

Document created by RSA Customer Support Employee on Aug 4, 2016Last modified by RSA Customer Support on Apr 15, 2019
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000033628
Applies ToRSA Product Set: RSA Security Analytics 
RSA Product/Service Type: Packet Decoder, Log Decoder, Concentrator, Archiver
RSA Version/Condition: 10.4.x,10.5.x,10.6.x and 11.x
Platform: CentOS
O/S Version: EL6 and EL7
IssueBy default, database configuration is set in a way that once metadb/sessiondb/packetdb/indexdb reaches 95%, the data roll over should start.
Sometimes it has been observed that roll over doesn't take place exactly at 95% and we get below alarm on SA :
“High Filesystem Usage” 
ResolutionThe usage of metadb/sessiondb/packetdb/indexdb which even if grows beyond the configured size is a normal scenario as long as the rollover is occurring automatically before the filesystem fills, it is functioning as designed.

As rollover is not that precise and rollover is only active once the usage exceeds the specified size threshold, and only is activated periodically, rather than instantaneously.

So, it seems rollover starts periodically and in that meantime DB grows more than 95%.

So, we can ignore “High Filesystem Usage” alarms as the functionality and services are not affected. 

To stop the alarms from triggering in such scenarios, we can edit the alarm as below :
  1. Disable the default Policy “SA Monitoring Policy” 
  2. Create a duplicate rule. 
  3. Enable the duplicate rule. 
  4. Edit it to set the threshold for “High Filesystem Usage” and set it to a higher value or change the threshold time to a higher value.