You have to configure the database for the Incident Management service for it to become usable. The ESA installation creates and secures a database instance for Incident Management service. You have to select one of the ESA servers to act as the database host for the Incident Management Service.
Considerations for Choosing the Host for ESA Database
This topic applies if you enable cross-site correlation in ESA.
In ESA, cross-site correlation allows you to create a deployment that includes one set of rules and multiple ESA services. These are the main features of a cross-site correlation deployment:
- There is one central ESA service.
- When you deploy rules, ESA services forward relevant events to the central ESA.
- The central ESA runs the rules and generates alerts.
If you enable cross-site correlation, there are factors to consider when you choose which ESA to use with Incident Mangement:
- Choose an ESA service that is co-located with Security Analytics to limit latency for access to MongoDB.
- Choose the ESA that gets the least traffic.
Note: Do not choose the central ESA because it ingests its own traffic and receives forwarded events from other ESA services.
By default, cross-site correlation is not enabled. To enable cross-site correlation, you must consult with RSA Professional Services to take part in the Cross-Site Correlation Field Trial Program.
Ensure that an ESA host is installed and configured.
To configure a database for the Incident Management service:
- In the Security Analytics menu, select Administration > Services.
The Services view is displayed.
- In the Services panel, select the Incident Management Service, and > View > Explore.
The Services Explore view is displayed.
In the options panel, select Service > Configuration > database.
The database view is displayed in the right side panel.
Provide the following information:
- Host – The hostname or IP address of the ESA host selected as a database
- DatabaseName – im (this is the default value)
- Port – 27017 (this is the default value)
- Username – The username for the user account for the IM database (ESA creates an im user with the right privileges)
- Password – The password you selected for the im user
Restart the Incident Management service using the following command.
service rsa-im restart
Note: Restarting the Incident Management service is important for the database configuration to be complete.