Article Number
000001471
Applies To
RSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: NetWitness Logs & Network Server, Incident Management
RSA Version/Condition: 10.6.x
Platform: CentOS
Platform (Other): MongoDB
O/S Version: EL6
Issue
The RSA Incident Management (IM) service becomes unresponsive while loading a large number of alerts.
In the NetWitness UI, Incidents > Alerts, when a large number of alerts are loading, the screen is unavailable and the error message Unexpected Error: Timer already canceled is displayed.
Image descriptionThen after login to the appliance that is running the Incident Management service, may find the service is not running when using the command:
service rsa-im status
RSA Security Analytics Incident Management:: Server is not running.
Cause
This happens when selecting the Time Range "All Data" from the Incidents window in the NetWitness, Incidents > Alerts, when there is a large number of alerts in the Incident Management MongoDB database.
Resolution
To prevent this condition, configure the Incident Management (IM) service to delete alerts and incidents older than a set number of days, to limit the number of alerts in the NetWitness Incident Management MongoDB database:
- Log in to the NetWitness UI.
- In the main menu, select Incidents > Configure
- Click the Retention Scheduler tab.
- Click the Enable data retention scheduler checkbox to enable it.
- In the Retain alerts and incidents for dialog, set the number of days either by selecting from the dropdown list or manually typing a numeric value.
Image description
- Click Apply.
Workaround
Reset the time range in Incident Management to avoid the timeout error message.
- Verify if the IM service is running by using the command:
service rsa-im status
If the service is not running, manually start the service using the command:
service rsa-im start
- Log in to the NetWitness UI, and from the main menu, select Dashboard.
- At the top of the page next to Default Dashboard, click the edit pad with the pencil icon, and then click Add Dashlet.
- In the Type field from the dropdown, select "Incident Queue Activity", then limit the Time Range to a small value, such as "Last 1 Hour", click Add.
- Verify that the Incident Queue Activity dashlet is loaded. It should be similar to the following example image:
Image description
- Click on a displayed "Total # of Alerts", "Total # of Incidents", or "Total # of Remediation" count number to load the Incidents window with a limited amount of data. The Incident > Alert page should open with a custom Time Range of "1 hour" from the Dashlet instead of "All Data".