ESA 11.3 falling sessions behind
We are experiencing ESA sessions behind with 11.3+ ESA and would like to seek advice of community on how to handle the issue. You can see previous thread covering 10.6 here: https://community.rsa.com/message/929061
Following RSA guide to reset position tracking does not help (mongo collections do not show up): https://community.rsa.com/docs/DOC-106061
Restarting ESA+Concentrators does not help due to high EPS+Backlog, re adding Concentrator as source does not help due to cached position tracking.
Previously you could disable position tracking in case you have huge backlog, but this option is not there in 11.3: https://community.rsa.com/docs/DOC-75214
Does anyone know how to disable position tracking in 11.3, or you have to do it via Mongo every time?
Also has anyone tried to force ESA to read historical events not to re-inject them by hand? If you have several ESA's while you reset position on one of them you could read the backlog via forged last sessionid on the second one not to loose historical use case triggers.
- Community Thread
- ESA Service
- Forum Thread
- netwitness 11.3
- RSA NetWitness
- RSA NetWitness Platform
- sessions behind
We have identified a few issues in 11.2.x and 11.3.x which impacts ESA deployments and have been fixed in 18.104.22.168+. What I would like to recommend at this point is to ensure that -
- You are running 22.214.171.124 or higher.
- Parity across deployments - everything is upgraded to 126.96.36.199 or higher and not running in mix-mode.
- Check metrics on rules to triage and understand if any are having high cpu utilization.
- Optimize rules to avoid use of toLowerCase().
We dont have a way to disable position tracking, but we have steps to manipulate position tracking to catch up on backlog, but that would be recommended only after the above steps are completed. If you are still seeing the issue, please contact support and we will be happy to help troubleshoot this further, including assisting you with options to churn through the backlog sessions.