Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Alerting: Services Tab

Document created by RSA Information Design and Development Employee on Sep 12, 2017Last modified by RSA Information Design and Development Employee on Nov 11, 2020
Version 17Show Document
  • View in full screen mode

This topic provides an overview of the  (Configure) > ESA Rules > Services tab. The Services tab shows the status of the deployments on each ESA service.

What do you want to do?

Role I want to ...Show me how
Content ExpertTroubleshoot Services Tab.Troubleshoot ESA
Content ExpertView deployment Stats for an ESA Service.View Stats for an ESA Service

Related Topics

Quick Look

The following figure shows the Services tab:
ESA Rules Services Tab

(This option is available in NetWitness Platform version 11.3 and later.) If an ESA Correlation service has multiple deployments, under the service name, you will see a tab for each deployment. In the above example, there are two deployment tabs, Deployment A and Deployment B. Each tab displays information specific to that deployment.

The Services tab has the following sections:

  • ESA Services panel (on the left)
  • General Stats panel (top right)
  • Deployed Rule Stats panel (bottom right)

ESA Services Panel

The ESA Services panel lists the name of each ESA service added to NetWitness Platform.

ESA Services panel showing the available ESA services

General Stats Panel

The General Stats panel provides information on the Esper engine, rules, and alerts.

The General Stats panel contains the following sections:

  • Engine Stats 
  • Rule Stats
  • Alert Stats

The following figure shows the General Stats panel.
General Stats Panel

The following table lists and describes the parameters in each section.

Engine StatsEsper VersionEsper version running on the ESA service
TimeTime when the last event was sent to Esper Engine
Events OfferedNumber of events processed by the ESA service since the last service start
Offered RateThe rate that the ESA service processes current events / The maximum rate that the ESA service processed events.
StatusShows the status of the deployment. A status of Active means that the deployment is active. A status of Inactive means that there was probably an error starting the deployment. Check the error log file for more information: /var/log/netwitness/correlation-server/correlation-server.log.
Rule StatsRules EnabledNumber of rules enabled
Rules DisabledNumber of rules disabled
Events MatchedTotal number of events matched to all rules on the ESA service
Alert StatsNotificationsThe total number of notifications sent by email, SNMP, syslog, or script for the deployment. (ESA SNMP notifications are not supported in NetWitness Platform version 11.3 and later.)
Message BusThe total number of alerts sent to Respond for the deployment

Deployed Rule Stats Panel

The Deployed Rule Stats panel provides details on the rules that are deployed on the ESA service.

The following figure shows the Deployed Rule Stats panel.

Deployed Rule Stats Panel

The table lists the various parameters in the view and their description.

Enable button Enables a rule that was disabled.
Disable button Disables a rule that was enabled.
Health & Wellness linkEnables you to monitor overall memory usage and health of your ESA Correlation service.

Indicates whether the rule is enabled or disabled.
A green circle icon Enabled icon indicates that the rule is enabled.
A white circle icon Disabled icon indicates that the rule is disabled.

If a disabled rule has an error message, it shows ESA disabled rule error message icon in the Enabled field. Hover over the icon to view the error message tooltip. The following example shows that the rule was disabled because it exceeded the configured memory threshold for that rule.
Enabled column showing memory threshold error for disabled rule

NameName of the ESA rule.
Rule Type(This field applies to version 11.3 and later.) Endpoint indicates a rule from the Endpoint Risk Scoring Bundle and Esper indicates Esper-specific rules, such as Rule Builder and Advanced EPL rules.
Trial RuleIndicates if the rule is running in trial rule mode.
Last DetectedThe last time alert was triggered for the rule.
Events MatchedThe total number of events that matched the rule.
Memory UsageThe total amount of memory used by the rule.

Note: The Endpoint Risk Scoring Rules Bundle rules do not show memory usage.

CPU %The percentage of the deployment CPU used by the rule. For example, a deployment with 1 rule shows 100% CPU usage for that rule and a deployment with two equally CPU heavy rules show 50% each. (This field is available in version 11.5 and later.)

Note: The Endpoint Risk Scoring Rules Bundle rules do not show CPU usage.

Next Topic:Settings Tab
You are here
Table of Contents > ESA Alert References > Services Tab