ESA Config: Configure ESA Storage

Document created by RSA Information Design and Development on Oct 23, 2017Last modified by RSA Information Design and Development on Jan 30, 2019
Version 6Show Document
  • View in full screen mode

This topic explains how to configure the ESA database to maintain a healthy level of alerts. 

This procedure is optional. Administrators can specify a retention period for alerts. Deleting old alerts is a best practice to maintain the alerts database. Otherwise, the database could continue to grow and eventually have a negative impact on performance.

By default, the feature to automatically delete alerts is not enabled because each company has its own policies. This topic teaches you how to perform the following tasks:

  • Enable automatic deletion of alerts
  • Specify criteria to delete alerts
    • By database size
    • By alert age
    • By both database size and alert age

Configuration Parameters

The configuration parameters are as follows:

EnabledTurns on alert retention feature.
NextMaintenanceScheduledAt(Read only) When the next maintenance is scheduled to run. 
HaveAlertForDays(Read-only) Current number days that alerts have been stored in the database. For example, if this number is checked on June 4th, and there were alerts generated every day from June 1st, then value would be 4. 
DatabaseDiskUsage(Read-only) Current database size.
Schedule Schedule for running the alert maintenance. The scheduling uses the UNIX Cron tab and must be specified in the correct Cron tab format. The default value is displayed in the procedure below. For more information on Cron scheduling, see
DatabaseDiskUsageLimtInMBDatabase size threshold; when exceeded, alerts will be deleted.
ValidRead-only parameter indicating whether the current configuration is valid. 
DaysToDeleteWhenLimitExceededNumber of days to remove when DatabaseDiskUsageLmitInMB is exceeded.
KeepAlertsForDaysNumber of days to keep the alerts in the database before they are removed.


MaximumDispatchesPerWindowNumber of dispatches allowed inside a 'regulation window'. The value of 0 means unbound dispatches.


Specifies the length of the regulation window (in seconds). After the first alert is dispatched, the system starts counting the alerts sent and the counts are reset after the specified number of seconds. Within the window, if the number of alerts sent exceeds the value specified for MaximumDispatchesPerWindow, the system slows down which delays the dispatches. The default value is 60 seconds.


Alerts are queued before they are dispatched. This attribute specifies the queue size. The default is 0 (unbounded queue). The queue size may increase if the maximum value is set to low, and when the queue is full the alerts will be dropped.

Note: The ingest is not reduced, rather the alerts are dropped on the outbound side.


You must have Administrator permissions.


  1. Log on to Security Analytics as admin.
  2. In the Security Analytics menu, select Administration > Services.
  3. Select the ESA service, then  View > Explore.
  4. On the left, select Alert > Storage > maintenance.
  5. In the Enabled field, select true to turn on the alert retention feature.
  6. Configure how you want to remove old alerts:
  • By database size – Enter the maximum database size in the DatabaseDiskUsageLimitInMB field. Specify how many days of the oldest alerts to delete in the DaysToDeleteWhenLimitExceeded field. For example, If you set the DatabaseDiskUsageLimitInMB value as 5120 MB and DaysToDeleteWhenLimitExceeded value as 7. When disk usage reaches 5120 MB and there are 10 days of alerts in the database, 7 days of alerts are deleted starting with the oldest alert.
  • By alert age – Enter how many days of alerts must be retained in the KeepAlertsForDays field. For example, if you set the KeepAlertsForDays value as 10, 10 days of alerts are retained in the database and alerts older than 10 days are deleted.
  • By database size and alert age – If you configure both these parameters, the parameter that deletes the higher number of days with alerts is used. For example, If the database has 15 days of alerts and if you specify the following settings:
    - DatabaseDiskUsageLimitInMB: 5120 MB
    - DaysToDeleteWhenLimitExceeded: 7
    - KeepAlertsForDays: 10
    KeepAlertsForDays deletes only 5 days of old alerts and DatabaseDiskUsageLimitInMB deletes 7 days of old alerts. As a result, DatabaseDiskUsageLimitInMB is used for deleting old alerts.
  1. Schedule 
    Use the schedule parameter to tell the ESA how frequently to run the alert maintenance job (i.e. how frequently to check the database and apply the deletion rules). Use the syntax for a Cron schedule job.  For more information on Cron scheduling, see
  2. Refresh the browser.
  • Date and time of next maintenance run is displayed in the NextMaintenanceScheduledAt field. 
  • In the Valid field, true is displayed to indicate the configuration is valid.
    If false is displayed, correct the disk size or alert age settings. 
  1. (Optional) The maintenance status can also be monitored in the /opt/rsa/esa/logs/esa.log file on the ESA host, which will display messages similar to the example below.


The maintenance status can also be monitored in the /opt/rsa/esa/logs/esa.log file on the ESA service, which will display messages similar to the example below.
2015-03-12 09:46:48,197 [Carlos@65dd6c04-56] INFO com.rsa.netwitness.carlos.config.ConfigurationMXBean -
MongoStorageMaintenance changed by admin
2015-03-12 09:46:51,121 [scheduler_Worker-1] INFO
 com.rsa.netwitness.core.alert.dispatch.SQLStorageMaintenance - Starting the scheduled database maintenance
job with policy {keepAlertForDays=30, maxDiskUsageInMb=5120}
2015-03-12 09:46:51,122 [Carlos@3801f0b3-58] INFO
 com.rsa.netwitness.core.alert.dispatch.SQLStorageMaintenance - Scheduled a database maintenance job with
policy {keepAlertForDays=30, maxDiskUsageInMb=5120} to run at 2/28/15 2:00 AM
2015-03-12 09:46:51,129 [Carlos@3801f0b3-58] INFO com.rsa.netwitness.carlos.config.ConfigurationMXBean -
MongoStorageMaintenance changed by admin
2015-03-12 09:46:51,133 [scheduler_Worker-1] INFO
 com.rsa.netwitness.core.alert.dispatch.SQLStorageMaintenance - Finished the database maintenance job,
deleted 0 partitions, next run scheduled at 3/14/15 2:00 AM

You are here
Table of Contents > Additional ESA Procedures > Configure ESA Storage