ESA Config: Configure ESA Storage

Document created by RSA Information Design and Development on Mar 23, 2017Last modified by RSA Information Design and Development on Apr 14, 2017
Version 3Show Document
  • View in full screen mode
  

This topic explains how to configure the ESA database to maintain a healthy level of alerts. 

This procedure is optional. Administrators can specify a retention period for alerts. Deleting old alerts is a best practice to maintain the alerts database. Otherwise, the database could continue to grow and eventually have a negative impact on performance.

By default, the feature to automatically delete alerts is not enabled because each company has its own policies. This topic teaches you how to perform the following tasks:

  • Enable automatic deletion of alerts
  • Specify criteria to delete alerts
    • By database size
    • By alert age
    • By a both database size and alert age

Configuration Parameters

The configuration parameters are as follows:

                                             
ParameterDescription
EnabledTurns on alert retention feature.
NextMaintenanceScheduledAt(Read only) When the next maintenance is scheduled to run. 
HaveAlertForDays(Read-only) Current number days that alerts have been stored in the database. For example, if this number is checked on June 4th, and there were alerts generated every day from June 1st, then value would be 4. 
DatabaseDiskUsage(Read-only) Current database size.
Schedule Schedule for running the alert maintenance. The scheduling uses the UNIX Cron tab and must be specified in the correct Cron tab format. The default value is displayed in the procedure below. For more information on Cron scheduling, see http://www.cronmaker.com.
DatabaseDiskUsageLimtInMBDatabase size threshold; when exceeded, alerts will be deleted.
ValidRead-only parameter indicating whether the current configuration is valid. 
DaysToDeleteWhenLimitExceededNumber of days to remove when DatabaseDiskUsageLmitInMB is exceeded.
KeepAlertsForDaysNumber of days to keep the alerts in the database before they are removed.

Prerequisites

You must have Administrator permissions.

Procedure

  1. Log on to Security Analytics as admin.
  2. In the Security Analytics menu, select Administration > Services.
  3. Select the ESA service, then  View > Explore.
  4. On the left, select Alert > Storage > maintenance.
  5. In the Enabled field, select true to turn on the alert retention feature.
  6. Configure how you want to remove old alerts:
  • By database size – Type the maximum database size in DatabaseDiskUsageLimitInMB. Then type how many days of the oldest alerts to delete in DaysToDeleteWhenLimitExceeded. For example, when disk usage reaches 5120 MB delete the oldest alerts for 7 days. 
  • By alert age – all alerts older than KeepAlertsForDays are deleted.

Note: For Security Analytics 10.4.1 and below, you must use KeepAlertsForDays. You cannot use DatabaseDiskUsageLimitInMB.

  • By database size and alert age. If you configure both of these parameters, whichever rule deletes the greater number of days is used. 
  1. Schedule 
    Use the schedule parameter to tell the ESA how frequently to run the alert maintenance job (i.e. how frequently to check the database and apply the deletion rules). Use the syntax for a Cron schedule job.  For more information on Cron scheduling, see http://www.cronmaker.com.
  2. Refresh the browser.
  • Date and time of next maintenance run is displayed in the NextMaintenanceScheduledAt field. 
  • In the Valid field, true is displayed to indicate the configuration is valid.
    If false is displayed, correct the disk size or alert age settings. 
  1. (Optional) The maintenance status can also be monitored in the /opt/rsa/esa/logs/esa.log file on the ESA host, which will display messages similar to the example below.

Example

The maintenance status can also be monitored in the /opt/rsa/esa/logs/esa.log file on the ESA service, which will display messages similar to the example below.
2015-03-12 09:46:48,197 [Carlos@65dd6c04-56] INFO com.rsa.netwitness.carlos.config.ConfigurationMXBean -
MongoStorageMaintenance changed by admin
2015-03-12 09:46:51,121 [scheduler_Worker-1] INFO
 com.rsa.netwitness.core.alert.dispatch.SQLStorageMaintenance - Starting the scheduled database maintenance
job with policy {keepAlertForDays=30, maxDiskUsageInMb=5120}
2015-03-12 09:46:51,122 [Carlos@3801f0b3-58] INFO
 com.rsa.netwitness.core.alert.dispatch.SQLStorageMaintenance - Scheduled a database maintenance job with
policy {keepAlertForDays=30, maxDiskUsageInMb=5120} to run at 2/28/15 2:00 AM
2015-03-12 09:46:51,129 [Carlos@3801f0b3-58] INFO com.rsa.netwitness.carlos.config.ConfigurationMXBean -
MongoStorageMaintenance changed by admin
2015-03-12 09:46:51,133 [scheduler_Worker-1] INFO
 com.rsa.netwitness.core.alert.dispatch.SQLStorageMaintenance - Finished the database maintenance job,
deleted 0 partitions, next run scheduled at 3/14/15 2:00 AM

You are here
Table of Contents > Additional ESA Procedures > Configure ESA Storage

Attachments

    Outcomes