How do I clear down a backlog of alerts in UCF
We currently have an issue whereby a large backlog of events/alerts from NetWitness are queued up in the UCF component of our Archer Services server. This is preventing new incidents from being raised in SecOps and adversely affecting our visibility. I have amended the collector-config.properties file to limit the number of alerts aggregated to each incident but this has not improved the situation. The UCF service has also been restarted.
Does anyone know a way of clearing down this queue as the backlog is largely made up of false positives.
Many thanks for any help provided.
Thanks Christopher, I have already raised a Sev1 ticket with RSA but they appear to be struggling to find a solution, currently waiting for a call back.
Just posted this on the off chance that somebody else had experienced the same issue.
ISTD IT Security – SOC Systems Support|TS-04 B-C| Infrastructure Services | Information Service & Technology Division
Bank of England |Threadneedle Street | London EC2R 8AH | +44 (0)203 461 4012| Mob : 07801 581497
The Archer Support team doesn't typically deal with NetWitness or the UCF, but there are a few excellent folks on the team with SecOps knowledge and experience. Most of the team is CST and I imagine your issue will get picked up as quickly as possible.
Hi Rishabh, thanks for the reply. We are currently running UCF version 184.108.40.206 and as far as I know are utilising SAIM in our setup.
I'm unable to open the link, it says I'm unauthorized. But to clear the backlog, you should be able to delete the cache files present in your cache folder from your UCF server if you think that the files contain only redundant incidents. These cache files contain the incident details which are pushed from Netwitness to archer. Before deleting you can choose to take a backup of these cache files.
Stop the UCF services,
Replace the cache file SyslogMessageQueue.data with a file of same name which doesn't have anything in it.
Drive:\Program files\RCA unified connector framework\SA IM Integration service\Data collector\cache
Bfore replacing SyslogMessageQueue.data take a copy of the exiting file as a backup. Create a file with same name and extension in a different location then copy and paste that file over the existing file in Drive:\Program files\RCA unified connector framework\SA IM Integration service\Data collector\cache
Restart UCF services.
Cons:- Will loose all the events yet to get created in Archer.