This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Health and Wellness - Managing Policies

pranavsankar1
Beginner
Beginner

‎2016-10-04 04:48 AM

Hello Everyone

 

I could see some strange behavior in H&W policies . Need to know below queries :

 

1. How H&W polices defined would convert into alerts  ? 

2.  When we enable the policies for hosts , log collector , decoders , concentrators  the disk utilization is high ( df -h ) and the alerts are not coming/seen even after 30  minutes of enabling the policy .
3. How to troubleshoot further without making the SA service down or without any performance impact .

 

When i tail the logs on the SA Head , these is what it shows:

Oct  4 08:19:18 collectd[5760]: Dispatched may be failing behind: took 229 seconds
Oct  4 08:19:18  collectd[5760]: ESMAggregator: Dispatched 592240 stats (in 5923 messages) and 592240 rrd stats in 229 seconds

 

What's the role of  ESMAggregator and how can differentiate the logs that are related to event source monitoring and H&w monitoring . 

 

Please advice.

 

Thanks in advance !

 

Regards

Pranav

1 REPLY 1

JohnKisner
Valued Contributor Valued Contributor
Valued Contributor

‎2016-10-10 06:02 PM

Pranav,

 

Based on your questions I highly suggest reviewing these SA Doc pages as they should help provide the answers you are looking for.

Health and Wellness - RSA Security Analytics Documentation 

Troubleshooting Health & Wellness - RSA Security Analytics Documentation 

 

Since you are not seeing messages for some time and the ESMAggregator is saying that it is running behind I'm not surprised that you aren't seeing messages for 30 minutes. The ESMAggregator has to do with the Event Source Monitor. It is pulling collectd messages from the log decoders to bubble up results into the Health and Wellness's Event Source Monitoring area. I would assume that the message bus being used by the ESM and the monitoring policies is the same. If they are using the same bus I'm not sure you will be able to tell the difference between the different types of logs with the current logging, it may require debug which would fill your log partitions up very quickly on the Netwitness UI server.

 

I hope this information helps.

© 2022 RSA Security LLC or its affiliates. All rights reserved.