Alerting: Services Tab

Document created by RSA Information Design and Development on Sep 12, 2017•Last modified by RSA Information Design and Development on Jan 30, 2020

Version 13Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

This topic provides an overview of the Configure > ESA Rules > Services tab. The Services tab shows the status of the deployments on each ESA service.

What do you want to do?

Role	I want to ...	Show me how
Content Expert	Troubleshoot Services Tab.	Troubleshoot ESA
Content Expert	View deployment Stats for an ESA Service.	View Stats for an ESA Service

Quick Look

The following figure shows the Services tab:

(This option is available in NetWitness Platform version 11.3 and later.) If an ESA Correlation service has multiple deployments, under the service name, you will see a tab for each deployment. In the above example, there are two deployment tabs, Deployment A and Deployment B. Each tab displays information specific to that deployment.

The Services tab has the following sections:

ESA Services panel (on the left)
General Stats panel (top right)
Deployed Rule Stats panel (bottom right)

ESA Services Panel

The ESA Services panel lists the name of each ESA service added to NetWitness Platform.

General Stats Panel

The General Stats panel provides information on the Esper engine, rules, and alerts.

The General Stats panel contains the following sections:

Engine Stats
Rule Stats
Alert Stats

The following figure shows the General Stats panel.

The following table lists and describes the parameters in each section.

Sections	Parameter	Description
Engine Stats	Esper Version	Esper version running on the ESA service
	Time	Time when the last event was sent to Esper Engine
	Events Offered	Number of events processed by the ESA service since the last service start
	Offered Rate	The rate that the ESA service processes current events / The maximum rate that the ESA service processed events.
	Status	Shows the status of the deployment. A status of Active means that the deployment is active. A status of Inactive means that there was probably an error starting the deployment. Check the error log file for more information: /var/log/netwitness/correlation-server/correlation-server.log.
Rule Stats	Rules Enabled	Number of rules enabled
	Rules Disabled	Number of rules disabled
	Events Matched	Total number of events matched to all rules on the ESA service
Alert Stats	Notifications	The total number of notifications sent by email, SNMP, syslog, or script for the deployment. (ESA SNMP notifications are not supported in NetWitness Platform version 11.3 and later.)
Alert Stats	Message Bus	The total number of alerts sent to Respond for the deployment

Deployed Rule Stats Panel

The Deployed Rule Stats panel provides details on the rules that are deployed on the ESA service.

The following figure shows the Deployed Rule Stats panel.

The table lists the various parameters in the view and their description.

Parameters	Description
	Enables a rule that was disabled.
	Disables a rule that was enabled.
Health & Wellness link	Enables you to monitor overall memory usage and health of your ESA Correlation service.
Enable	Indicates whether the rule is enabled or disabled. A green circle icon indicates that the rule is enabled. A white circle icon indicates that the rule is disabled.
Name	Name of the ESA rule.
Rule Type	(This field applies to version 11.3 and later.) Endpoint indicates a rule from the Endpoint Risk Scoring Bundle and Esper indicates Esper-specific rules, such as Rule Builder and Advanced EPL rules.
Trial Rule	Indicates if the rule is running in trial rule mode.
Last Detected	The last time alert was triggered for the rule.
Events Matched	The total number of events that matched the rule.
Memory Usage	The total amount of memory used by the rule. Note: The Endpoint Risk Scoring Rules Bundle rules do not show memory usage.