Alerting: View Memory Metrics for Rules Using Trial Mode

Document created by RSA Information Design and Development on Jun 26, 2017Last modified by RSA Information Design and Development on Sep 14, 2017
Version 2Show Document
  • View in full screen mode
  

This topic tells ESA rule writers how to view memory metrics when the memory threshold configured for trial rules is exceeded.  If the memory threshold is exceeded, you can configure a snapshot to be taken of the memory usage for ESA rules at the time that trial rules are disabled, allowing you to investigate memory usage and edit the rules to be more efficient.

When you configure trial rules and enable the Memory Snapshot feature, if the memory threshold is exceeded, all trial rules are disabled and a snapshot of the memory usage for all ESA rules is taken at the time of disablement. This allows you to see how much memory was used so that you can modify your ESA rules to be more efficient. The memory snapshot can be viewed in the Health & Wellness System Stats browser, so you will need permissions to access this module. Once you view the details in the System Stats browser, you can modify the trial rule syntax and re-enable the trial rules.

At a high level, you will need to complete the following steps to use the Memory Snapshot to troubleshoot memory usage for rules:

  1. Enable trial rules for any new rules you deploy. See Deploy Rules as Trial Rules.
  2. Ensure that you have configured Health & Wellness ESA policies to send an email if memory thresholds are exceeded.
  3. Ensure you have the correct permissions to view the Health & Wellness module. For information on roles and  permissions, see Role Permissions.
  4. Ensure that the Memory Snapshot feature is enabled (via the EnabledCaptureSnapshot parameter via SA Explorer). The Memory Snapshot feature is disabled by default. See "Enabling and Disabling the Memory Snapshot Feature" below.  RSA recommends you disable the feature once you have completed testing new rules.
  5. View the memory threshold statistics in Health & Wellness if the memory threshold is triggered for trial rules.
  6. Modify the rule or rules that triggered the alarm. For best practices for rule writing, see Best Practices.
  7. Re-enable the trial rules that were disabled when the memory threshold was triggered. For instructions on re-enabling trial rules on a service, see View ESA Stats and Alerts.
  8. Continue to test the trial rules. 

Note: Like any Debug tool, there can be exceptional overhead associated with using the Memory Snapshot feature. When actively taking a snapshot, the Memory Snapshot feature can add delays to your ESA services. The ESA service stops generating alerts while taking a snapshot. RSA recommends you disable the feature once you have completed testing new rules. If you disable the Memory Snapshot feature, trial rules will still be disabled when memory usage exceeds configured thresholds, but the memory snapshot will not be taken, and the statistics will not appear in the Health & Wellness System Stats browser.

Prerequisites

These are the requirements for viewing memory metrics:

  • One or more ESA rules must be configured as a trial rule.
  • Memory Snapshot must be enabled (via the EnabledCaptureSnapshot parameter via SA Explorer).
  • The user must have the appropriate permissions to view Health & Wellness statistics. 
  • The user must have configured the ESA Health & Wellness policy to send an email when memory thresholds are exceeded.

Procedures

View Memory Metrics

  1. In the Security Analytics menu, go to Administration > Health & Wellness > System Stats Browser.
  2. For component, select Event Stream Analysis. For category, enter ESA-Metrics

HW-Mem_metrics.png

The name of the rule is displayed in the Subitem field, and the memory usage is displayed in the Value column. 

Note: The Last Update field reflects when Health & Wellness polls ESA. However, the Memory Snapshot only occurs when memory thresholds are exceeded, so this field does not reflect when the snapshot was taken or updated. The snapshot remains static until the memory threshold is exceeded again. For example, if the memory threshold is exceeded on 10/10/15 at 12 p.m., but Health & Wellness polls at 10/10/15 at 3 p.m., the Last Update field will display a date of 10/10/15 3 p.m. 

Enable or Disable the Memory Snapshot Feature

  1. In the Security Analytics menu, go to Administration Services and select your ESA. 
  2. Once you've selected your ESA, click on Actions > View> Explore, and navigate to CEP Metrics as shown below. 

    Enable_Mem_Snapshot.png
  3. Change the field EnabledCaptureSnapshot to true or false depending on whether you want to enable or disable the Memory Snapshot feature. 
You are here
Table of Contents > Work with Trial Rules > View Memory Metrics for Rules Using Trial Mode

Attachments

    Outcomes