|Applies To||RSA Product Set: NetWitness|
RSA Product/Service Type: SA Event Source Monitoring
RSA Version/Condition: 10.6.1.1
|Issue||The RSA NetWitness Event Source Monitoring (ESM) Beta is alerting and can cause server issues with operating environment in large deployments|
This is caused by a new automatic alerting feature. This is a beta feature at present and turning it off will ONLY turn off the advanced baselining and automatic alerting; however regular ESM policy-based alerts will still work as usual (this issue does not affect SMS policy-based alerting). Keeping it on, on the other hand, will cause all sorts of memory stability issues (given the number of resources needed to create and maintain baseline data for automatic monitoring and notifications) and the kernel may keep invoking the OOM killer to kill processes since it runs out of swap space.
|Cause||This is caused by the ESM alerting being enabled by default.|
|Resolution||To resolve the issue,|
The baseline aggregation collections may come back in Mongo (get re-created), however, the automatic monitoring should remain disabled and the collections will not have any data in them.