This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by NetWitness experts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcement Banner

Users are unable to open Netwitness Support Cases via email. Please open support cases via portal or by phone

View Details
  • NetWitness Community
  • Knowledge Base
  • Event Source Monitoring (ESM) Beta is alerting and can cause server issues with operating environmen...
  • Options
    • Subscribe to RSS Feed
    • Bookmark
    • Subscribe
    • Email to a Friend
    • Printer Friendly Page
    • Report Inappropriate Content

The content you are looking for has been archived. View related content below.

Event Source Monitoring (ESM) Beta is alerting and can cause server issues with operating environment in large RSA NetWitness deployments

Article Number

000001545

Applies To

RSA Product Set: RSA NetWitness Logs & Network, Security Analytics
RSA Product/Service Type: Event Source Monitoring (ESM)
RSA Version/Condition: 10.6.x, 11.0.x, 11.1.x

Issue

The RSA NetWitness Event Source Monitoring (ESM) feature is causing RSA NetWitness Head Unit server performance issues in large NetWitness deployments.

Symptoms on the RSA NetWitness Head Unit server include:
  • High memory usage (which can result in Health & Wellness alarms of "High Swap Utilization")
  • RSA NetWitness UI unavailability on port 443 due to the rsa-sms service crashing/becoming unresponsive

    NOTE: The rsa-sms service is a prerequisite of the jettysrv service.

  • High disk utilization on tokumx service volumes (e.g. /var/lib/netwitness/database/tokumx) due to large collection sizes in MongoDB

The following symptoms have also been reported in the RSA NetWitness 11.x user interface: (both may have other causes)
  • All hosts showing red status on the Admin > Health & Wellness > Monitoring tab (suggesting an issue with the rsa-sms service)
  • Large number of services showing as Offline in Admin > Services (suggesting that carlos is having trouble monitoring the service status)

Cause

This is caused by the ESM Alarms based on calculated baseline being enabled by default. (This feature is known as as ESM Automatic Monitoring.)
 
On large environments, a large amount of resources are required to create and maintain baseline data for automatic monitoring and notifications.  This is a beta feature at present and turning it off will ONLY turn off the advanced baselining and automatic alerting.
 
Features that are unaffected by disabling this include:
  • Regular ESM policy-based alerts
  • Health & Wellness policy-based alerting

Resolution

To resolve this issue you must disable ESM Automatic Monitoring and remove some of the large ESM collections in the MongoDB by performing the following steps:
  1. Disable the feature in RSA Security Analytics 10.x by navigating to the Administration > Event Sources > Settings tab and deselect all checkboxes as shown in the example below.

Notes

For RSA NetWitness 11.x and any 10.x hosts where the node id does not appear in the mco ping output, you may need to have the collectd service restarted manually using one of the commands below.
service collectd restart              # NW 10.X
systemctl restart collectd.service    # NW 11.X
Tags (12)
  • Customer Support Article
  • KB Article
  • Knowledge Article
  • Knowledge Base
  • NetWitness
  • NetWitness Platform
  • NW
  • RSA NetWitness
  • RSA NetWitness Platform
  • RSA Security Analytics
  • Security Analytics
  • SIEM
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2022-02-10 01:38 PM
Updated by:
Administrator nwinfotech Administrator

Related Content

Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.