Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

ESM: Negative Policy Numbering

Document created by RSA Information Design and Development Employee on Sep 6, 2017Last modified by RSA Information Design and Development Employee on Sep 8, 2020
Version 19Show Document
  • View in full screen mode

You may see negative numbers in the Order field in the Groups section of the Monitoring Polices tab. This topic describes a workaround to restore the correct numbering scheme for your policies.


The following screen shows an example of the situation where the numbers of group policies become negative.


If you encounter this situation, drag and drop the top group (All Unix Event Source(s) in the above image) to after the last group (Ciscoasa_Alarm14417). This restores normal, ordinal numbering. You can then continue to drag and drop groups until you have them in their proper order for your organization.

Clean Up Duplicate Messages

  1. Stop collectd on NetWitness Platform and Log Decoders:

    Service collectd stop

  2. Remove the ESM Aggregator persisted file on NetWitness Platform:

    rm /var/lib/netwitness/collectd/ESMAggregator

  3. Reset the Log Decoder.

    1. Navigate to the Log Decoder REST, at http://<LD_IP_Address>:50102
    2. Click decoder(*) to view the properties for the decoder.
    3. In the Properties drop-down menu, select reset, then click Send.
  4. In the Event Sources panel from the Event Sources Manage tab, select all event sources and then click - to remove them.

Previous Topic:Import File Issues
You are here
Table of Contents > Troubleshooting/Appendix > Negative Policy Numbering