This topic tells ESA rule writers how to view memory metrics when the memory threshold configured for trial rules is exceeded. If the memory threshold is exceeded, you can configure a snapshot to be taken of the memory usage for ESA rules at the time that trial rules are disabled, allowing you to investigate memory usage and edit the rules to be more efficient.
When you configure trial rules and enable the Memory Snapshot feature, if the memory threshold is exceeded, all trial rules are disabled and a snapshot of the memory usage for all ESA rules is taken at the time of disablement. This allows you to see how much memory was used so that you can modify your ESA rules to be more efficient. The memory snapshot can be viewed in the Health & Wellness System Stats browser, so you will need permissions to access this module. Once you view the details in the System Stats browser, you can modify the trial rule syntax and re-enable the trial rules.
At a high level, you will need to complete the following steps to use the Memory Snapshot to troubleshoot memory usage for rules:
- Enable trial rules for any new rules you deploy. See Deploy Rules as Trial Rules.
- Ensure that you have configured Health & Wellness ESA policies to send an email if memory thresholds are exceeded.
- Ensure you have the correct permissions to view the Health & Wellness module. For information on roles and permissions, see Role Permissions.
- Ensure that the Memory Snapshot feature is enabled (via the EnabledCaptureSnapshot parameter via SA Explorer). The Memory Snapshot feature is disabled by default. See "Enabling and Disabling the Memory Snapshot Feature" below. RSA recommends you disable the feature once you have completed testing new rules.
- View the memory threshold statistics in Health & Wellness if the memory threshold is triggered for trial rules.
- Modify the rule or rules that triggered the alarm. For best practices for rule writing, see Best Practices.
- Re-enable the trial rules that were disabled when the memory threshold was triggered. For instructions on re-enabling trial rules on a service, see View ESA Stats and Alerts.
- Continue to test the trial rules.
These are the requirements for viewing memory metrics:
- One or more ESA rules must be configured as a trial rule.
- Memory Snapshot must be enabled (via the EnabledCaptureSnapshot parameter via SA Explorer).
- The user must have the appropriate permissions to view Health & Wellness statistics.
- The user must have configured the ESA Health & Wellness policy to send an email when memory thresholds are exceeded.
View Memory Metrics
- In the Security Analytics menu, go to Administration > Health & Wellness > System Stats Browser.
- For component, select Event Stream Analysis. For category, enter ESA-Metrics.
The name of the rule is displayed in the Subitem field, and the memory usage is displayed in the Value column.
Enable or Disable the Memory Snapshot Feature
- In the Security Analytics menu, go to Administration > Services and select your ESA.
- Once you've selected your ESA, click on Actions > View> Explore, and navigate to CEP Metrics as shown below.
- Change the field EnabledCaptureSnapshot to true or false depending on whether you want to enable or disable the Memory Snapshot feature.