This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Delete more quantity of alerts

AntonioTeixeira
Beginner
Beginner

‎2018-07-11 01:06 PM

Hello, I would like to eliminate all the alerts activated by a specific rule, I have around 100.000, when I try to eliminate only can delete 900 alerts of each time, any idea of how to eliminate a greater quantity?

0 Likes
9 REPLIES 9

someone
Contributor
Contributor

‎2018-07-12 04:48 AM

Are these alerts from ESA or Reporting Engine?

0 Likes

PedroQueiros
Beginner
Beginner
In response to someone

‎2018-07-12 07:31 AM

From ESA, I think.

 

Is it possible to delete them directly from the MongoDB, using a client?

0 Likes

someone
Contributor
Contributor
In response to PedroQueiros

‎2018-07-12 08:04 AM

Yes, you can use esatool for that. Not for v11.x though, only up to 10.6.x.

000032358 - Event Stream Analysis troubleshooting script (ESATool) for the RSA NetWitness Platform 

0 Likes

PedroQueiros
Beginner
Beginner
In response to someone

‎2018-07-16 04:43 AM

Hm, ok, but we're using v11.x.

 

I'll try to delete using MongoDB directly.

 

Thank you for all your replies.

0 Likes

someone
Contributor
Contributor
In response to PedroQueiros

‎2018-07-16 05:33 AM

OK, in that case it will not work for 11.x as they are using a pure implementation of mongo as opposed to 10.6.x that used tokumx. 

If you are unsure or need help, you should raise it with Support.

0 Likes

JoshRandall
Valued Contributor Valued Contributor
Valued Contributor

‎2018-07-16 01:22 PM

Since you're on 11, the command to access mongo and the appropriate DB and Collection to delete alerts directly will be a bit different than in 10.x.

 

You'll want to be SSH'd into the ESA when you run the commands, which will look like:

 

# mongo admin -u deploy_admin -p 'your_deploy_admin_password'
> use respond-server
> db.alert.remove({'originalHeaders.name' : 'the name of your alert' })

 

Or a bash one-liner:

 

echo -e 'use respond-server\ndb.alert.remove({"originalHeaders.name":"the name of your alert"})' | mongo admin -u deploy_admin -p your_deploy_admin_password

 

e.g.:

 

pastedImage_11.png

 

pastedImage_12.png


Mr. Mongo
0 Likes

RenatoGoncalves
Beginner
Beginner

‎2019-02-01 02:14 PM

I have an alert that keeps firing even after the deletion in the UI tab of ESA rules...

 

I´ve use the commands above and eliminated the alert but it still keeps firing....what can i do to eliminate for good the alert?

0 Likes

someone
Contributor
Contributor
In response to RenatoGoncalves

‎2019-02-05 07:16 AM

There might be an issue with Synchronization of the rules. So ESA might think that one rule is enabled when its not, but it could be a result because that was not updated. You should raise a case for that.

0 Likes

RenatoGoncalves
Beginner
Beginner
In response to someone

‎2019-02-05 01:11 PM

Thanks Marinos,

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.