NetWitness Community

KiranNair · ‎2018-04-03

Hello all,

We're using RSA SA version 10.6.0.0.22075-5 and we need to remove decommissioned servers from log collection or event source monitoring. How we need to remove the powered off servers in RSA console?

EricaChalfin · ‎2018-04-03

7nNctE5n2O32MAiI38mv61J8aIunrGJuApVQ938FBbI=‌,

I've moved your question to the https://community.rsa.com/community/products/netwitness?sr=search&searchId=842b9d0e-15b9-4f92-be73-4f60a1fc31b2&searchIndex=0‌ space so it will be seen by our TSEs and other customers.

Please be sure to bookmark this space so you can use it the next time you have a question for our NetWitness team.

Regards,

Erica

EricPartington · ‎2018-04-03

If the servers are decomissioned they should not be sending events anymore to the system.

If your question is how to remove the artifacts from event sources/health and wellness so they are no longer listed and dont create idle alarms then you can delete the entries using the groups function in Event Sources.

Admin > event sources > Manage

create a group that collects the assets that you want to remove from the ESM DB.

select all the items with the checkbox

click delete icon

that should remove the systems from ESM and the health and wellness section after a short period of time so they no longer alert for idle devices.

Log collection requires that you remove the host from any pull configuration created (where that is and what configs need to be removed depends on the source - file collection, windows collection, sql collection etc). If the system was sending via syslog then no action should be necessary as that is client side push.

KiranNair · ‎2018-04-05

Thanks much Eric!

NetWitness Community

How to remove event sources in RSA?