ESM: Negative Policy Numbering

Document created by RSA Information Design and Development on Nov 21, 2016Last modified by RSA Information Design and Development on Feb 27, 2017
Version 2Show Document
  • View in full screen mode
  

You may see negative numbers in the Order field in the Groups section of the Monitoring Polices tab. This topic describes a workaround to restore the correct numbering scheme for your policies.

Details

The following screen shows an example of the situation where the numbers of group polices become negative.

esm_policy_neg.png

If you encounter this situation, drag and drop the top group (All Unix Event Source(s) in the above image) to after the last group (Ciscoasa_Alarm14417). This restores normal, ordinal numbering. You can then continue to drag and drop groups until you have them in their proper order for your organization.

Clean Up Duplicate Messages

  1. Stop collectd on Security Analytics and Log Decoders:

    Service collectd stop

  2. Remove the ESM Aggregator persisted file on Security Analytics:

    rm /var/lib/netwitness/collectd/ESMAggregator

  3. Reset the Log Decoder.

    1. Navigate to the Log Decoder REST, at http://<LD_IP_Address>:50102
    2. Click decoder(*) to view the properties for the decoder.
    3. In the Properties drop-down menu, select reset, then click Send.
  4. In the Event Sources panel from the Event Sources Manage tab, select all event sources and then click - to remove them.
Previous Topic:Import File Issues
You are here
Table of Contents > Troubleshooting > Negative Policy Numbering

Attachments

    Outcomes