ESM: Remove Idle Event Sources

Document created by RSA Information Design and Development on Sep 12, 2018
Version 1Show Document
  • View in full screen mode
  

Periodically, you may want to update your set of event sources, and remove ones that are no longer being used. You can use the Idle Time parameter to do this.

Note: The information in this topic applies to RSA NetWitness® Platform Version 11.2 and later.

To remove idle event sources:

  1. Go to ADMIN > Event Sources.
  2. In the Manage panel, click  .

    The Create an Event Group dialog is displayed.

  3. Fill in the name and description as you like, and add a condition that uses the Idle Time parameter, as shown here:

    In this example, we have set the condition to identify event sources that have been idle for at least 60 days.

  4. Save the new group, then select it in the Groups panel.
  5. Select some or all event sources in the group. The following screen shows all event sources from this group selected.

  6. In the Event Sources panel, click delete iconto delete the selected, idle event sources.

    A confirmation message appears:

  7. Click Delete Now to confirm your intention to delete the selected event sources.

If, in the future, an event source that has been removed sends logs, a new event source will be created.

You are here
Table of Contents > Manage Event Source Groups > Remove Idle Event Sources

Attachments

    Outcomes