NW Health Issues
Recently it was given to me the task of assuring that NW runs smooth.
I was viewing some documentation from the community and saw:
Verification of the 95% threshold
To ensure that the NW database directory sizes are configured with the correct 95% threshold, in the Security Analytics UI:
- Go to the Security Analytics service Explore view, right-click on Properties and select reconfig.
- In the parameters field, type Update=0 and click Send. The response output will check the host storage and attached storage, and automatically calculates what the 95% threshold is.
- When you type Update=1 and click Send, the response output displays the same response as in the previous step, but when you refresh the Explore view, you will see that the session, meta, and packet database directories size have been updated to 95% of the current available storage.
- Restart the Concentrator or Decoder service for the changes to take effect.
Has im using version 11 and dont know where to go. Is it Admin- Services and then in the concentrator select config? If so where do i put update=0?
These options are in the Explore menu:
Under the /database and /index nodes, you can select "config” to see what the current settings for each db are (session.dir and meta.dir under /database/config; and index.dir under /index/config):
You can run through the steps listed in your question by right-clicking on the /database and /index nodes, selecting "Properties,” and in the frame that opens at the bottom of the page select "reconfig” and enter your commands in the "Parameters” box:
Hope this helps.
Thanks for all the help you giving me throw time.
One thing i noticed is that theres been a few changes in the boards. For example: When i try to see if the ESA MongoDB is 5GB, according to the documentation i shoul be doing: Administraton - Services - ESA Event Stream Analisys - View - Explore - Alert - Storage and Maintenance but we do not have the option Storage:
Is by any means trustful to follow https://community.rsa.com/docs/DOC-78965#Log ?
Since you have much more experience than i do in monitoring health for NW may i ask you a question?
Its usual for the IIS to send large chunks of events in a 5H windows and smaller one until it reaches 5H difference?
As you can see its giving us a bigger number of events ( 32.000 as maximum ) and then for 5 hours it only gives us 28, 4, 5 events has you can see in the pictures.
Is it normal? Where can i see if its a configuration problem or is it normal according with the configuration that was made by our log decoder/collector admins?
IIS is normally a file collection deployment so the logs will be sent in a scheduled basis from the IIS server(s). So if your interval to send logs is 5 hours then thats what you will see.
Check the guide to see where the configs are for the integration and verify the reporting interval.
We were thinking that but just needed confirmation of our responsible for log-collector installation and someone whow had much more experience, like you.
Thanks for the reply and the help
Not sure I understand your question, IIS logs can be gathered by RSA using the following method
you should be able to change the polling and delivery interval to suit your needs
We followed the document and we put every 60second, but the events are divided in big chunks every hour and a other events in a live perspective. We could tought that the chunk of events were happening at that point, but after analysis we found that it contains present and past events