Services TabServices Tab
This topic provides an overview of the (Configure) > ESA Rules > Services tab. The Services tab shows the status of the deployments on each ESA service.
What do you want to do?What do you want to do?
|Role||I want to ...||Show me how|
|Content Expert||Troubleshoot Services Tab.||Troubleshoot ESA|
|Content Expert||View deployment Stats for an ESA Service.||View Stats for an ESA Service|
Related TopicsRelated Topics
Quick LookQuick Look
The following figure shows the Services tab:
(This option is available in NetWitness version 11.3 and later.) If an ESA Correlation service has multiple deployments, under the service name, you will see a tab for each deployment. In the above example, there are two deployment tabs, Deployment A and Deployment B. Each tab displays information specific to that deployment.
The Services tab has the following sections:
- ESA Services panel (on the left)
- General Stats panel (top right)
- Deployed Rule Stats panel (bottom right)
ESA Services PanelESA Services Panel
The ESA Services panel lists the name of each ESA service added to NetWitness.
General Stats PanelGeneral Stats Panel
The General Stats panel provides information on the Esper engine, rules, and alerts.
The General Stats panel contains the following sections:
- Engine Stats
- Rule Stats
- Alert Stats
The following figure shows the General Stats panel.
The following table lists and describes the parameters in each section.
|Engine Stats||Esper Version||Esper version running on the ESA service|
|Time||Time when the last event was sent to Esper Engine|
|Events Offered||Number of events processed by the ESA service since the last service start|
|Offered Rate||The rate that the ESA service processes current events / The maximum rate that the ESA service processed events.|
|Status||Shows the status of the deployment. A status of Active means that the deployment is active. A status of Inactive means that there was probably an error starting the deployment. Check the error log file for more information: /var/log/netwitness/correlation-server/correlation-server.log.|
|Rule Stats||Rules Enabled||Number of rules enabled|
|Rules Disabled||Number of rules disabled|
|Events Matched||Total number of events matched to all rules on the ESA service|
|Alert Stats||Notifications||The total number of notifications sent by email, SNMP, syslog, or script for the deployment. (ESA SNMP notifications are not supported in NetWitness Platform version 11.3 and later.)|
|Message Bus||The total number of alerts sent to Respond for the deployment|
Deployed Rule Stats PanelDeployed Rule Stats Panel
The Deployed Rule Stats panel provides details on the rules that are deployed on the ESA service.
The following figure shows the Deployed Rule Stats panel.
The table lists the various parameters in the view and their description.
|Enables a rule that was disabled.|
|Disables a rule that was enabled.|
|Health & Wellness link||Enables you to monitor overall memory usage and health of your ESA Correlation service.|
Indicates whether the rule is enabled or disabled.
If a disabled rule has an error message, it shows in the Enabled field. Hover over the icon to view the error message tooltip. The following example shows that the rule was disabled because it exceeded the configured memory threshold for that rule.
|Name||Name of the ESA rule.|
|Rule Type||(This field applies to version 11.3 and later.) Endpoint indicates a rule from the Endpoint Risk Scoring Bundle and Esper indicates Esper-specific rules, such as Rule Builder and Advanced EPL rules.|
|Trial Rule||Indicates if the rule is running in trial rule mode.|
|Last Detected||The last time alert was triggered for the rule.|
|Events Matched||The total number of events that matched the rule.|
|Memory Usage||The total amount of memory used by the rule.
Note: The Endpoint Risk Scoring Rules Bundle rules do not show memory usage.
|CPU %||The percentage of the deployment CPU used by the rule. For example, a deployment with 1 rule shows 100% CPU usage for that rule and a deployment with two equally CPU heavy rules show 50% each. (This field is available in version 11.5 and later.)
Note: The Endpoint Risk Scoring Rules Bundle rules do not show CPU usage.