Troubleshoot ESATroubleshoot ESA
This section describes common issues that may occur while using ESA, and it suggests common solutions to these problems.
Troubleshoot ESA Correlation ServicesTroubleshoot ESA Correlation Services
| Problem | Possible Causes | Solutions |
|---|---|---|
|
On the NetWitness Platform Dashboard, the ESA service appears in red to indicate it is offline. In the |
Several |
When an ESA Correlation service is offline, there are many possible causes. However, a common issue is that you have created a rule that uses excessive memory and causes the ESA service to fail. To troubleshoot this problem, see Steps to Troubleshoot Memory Issues with an ESA Service Offline. Other common causes might be that your firewall is blocking the connection between the ESA and NetWitness Platform, or the ESA Correlation service machine may be down. To bring up ESA Services: Go to If your ESA service is stopping and restarting in a loop, you may need to call Customer Support to get the services to start. |
|
On the NetWitness Platform Dashboard, the ESA service appears in red to indicate it is offline. In the |
Configuration issues |
If your system has been recently upgraded, you may have made a configuration error. Go to |
| Suddenly, an ESA Correlation service is completely unresponsive and appears to have crashed. The ESA Correlation Log file shows a Too Many Open Files error. | Connectivity issues |
The most likely cause for this error is a connectivity issue between the ESA Correlation service and a data source used in an ESA rule deployment, such as a Concentrator or Decoder.
For example: Error: com.rsa.netwitness.streams. If there are network connectivity issues, fix the issues and then restart the ESA Correlation service again to see if it fixes the problem. If you have a data source with intermittent connectivity, you should remove it from the ESA rule deployment. |
Troubleshoot RSA Live Rules for ESATroubleshoot RSA Live Rules for ESA
| Problem | Possible Causes | Solutions |
|---|---|---|
| I imported a group of rules from RSA Live, and now my ESA service is crashing. Why? | You may not have configured the parameters for the RSA Live rule to tune it for your environment. |
Each rule in RSA Live has a description that includes the parameters you must configure and prerequisites for your environment. Review this description to see if the rule is appropriate for your environment. To ensure that you deploy rules safely in your environment, configure new rules as trial rules to test them in your environment. Trial rules add a safeguard for testing new rules. For details on this, see Deploy Rules as Trial Rules. |
|
I imported a group of rules from RSA Live, and while the rules deployed without errors, they were later disabled. |
Not all RSA Live rules are meant for every environment. You may not have the correct meta in your ESA for the rule to run. |
You can verify that a rule was disabled by going to If a rule deployed correctly but was disabled, check the logs for exceptions related to the rule. Specifically, check to see if the rules were disabled due to missing meta. To do this, go to the ESA Correlation logs. You can use SSH to get in the system and go to: /var/log/netwitness/correlation-server/correlation-server.log. Then, search for a message similar to the following: "Property named ‘<meta_name>' is not valid in any stream" For example, you might see: Failed to validate filter expression '(medium=1 and streams=2 or medium=3...(238 chars)': Property named 'tcp_flags_seen' is not valid in any stream If a similar message displays, you may need to add a custom meta key to the Log Decoder or Concentrator. To do this, follow these instructions: "Create Custom Meta Keys Using Custom Feed" in the Decoder and Log Decoder Configuration Guide. |
Troubleshoot ESA RulesTroubleshoot ESA Rules
| Problem | Possible Causes | Solutions |
|---|---|---|
|
I have an ESA rule that is not getting deployed and is not creating alerts. |
A meta key that the rule uses is a string array type, but it shows as a string type on ESA. |
Check to see if any string array meta keys that the rule uses are configured as string array types on ESA. Go to
In the ESA Correlation service Explore view, go to correlation/stream. Add string array meta keys to the multi-valued list to allow them to be used as an array in ESA rules. Go back to the Meta Key References and click the refresh icon ( |
|
I set up notifications for a rule, but we are not receiving them. The correlation-server.log file does not show any errors. Why? |
Correlation-server successfully sent the notification messages to integration-server, but when integration-server tried to send the notifications to their destination, it failed. |
When troubleshooting notifications, check both the ESA Correlation service log files (/var/log/netwitness/correlation-server/correlation-server.log) AND the Integration-Server log files on the NetWitness Server (/var/log/netwitness/integration-server/integration-server.log). For an example, see Integration-Server SMTP Notification Error Example. Note: For any notification-related troubleshooting, check the integration-server log file in addition to the log file of the service creating the notification. |
|
I created a rule with an enrichment, added an SMTP notification, and deployed my rule. We are not receiving SMTP notifications. Why? |
You do not have a template that met the criteria to parse the events. |
Check the ESA Correlation service log files to see if the SMTP notification failed: /var/log/netwitness/correlation-server/correlation-server.log. For more details on the notification error, check the Integration-Server log file on the NetWitness Server (also known as Node 0, Admin server, or NWServer): /var/log/netwitness/integration-server/integration-server.log. If you use an ESA rule that has an enrichment, such as a Context Hub list, you must create a custom template. You can duplicate a default template and adjust it for your enrichment. See SMTP Notification Error Example below for a notification error example. For information on creating a custom ESA template, see "Define a Template for ESA Alert Notifications" in the System Configuration Guide. Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues. |
| I created a custom rule (via the Rule Builder or Advanced EPL), and my rule is not firing. Why? | You may have connectivity issues. |
Check the Offered Rate statistic on the If the Offered Rate is zero, then the ESA service is not receiving data from Concentrators. Check the ESA Correlation log files for connectivity issues: /var/log/netwitness/correlation-server/correlation-server.log. If the offered rate is not zero, the meta key name and type used in the rule likely doesn't match the meta key present in events. Check to see if the meta key name and type used in the rule is valid by searching for the meta key name in |
| I created a custom rule (via the Rule Builder or Advanced EPL), and my rule is not firing. Why? | There may be a problem with the rule. |
If a specific rule is not firing, go to You can also check Events Matched field. Go to If no events matched, check the logic of your rule for errors. For example, check the syntax for uppercase and lowercase errors, and check the time window. If the rule still doesn't fire, consider simplifying the logic of the rule to see if it fires when there is less complexity. |
| After a recent upgrade, I am not seeing alerts and I am seeing disabled rules. | There may be a problem with the ESA rule deployment. |
Deploy the ESA rule deployments again. Create a Deployment steps in the Live Services Management Guide provides more information on deploying rules using the ESA Correlation service. If this does not resolve the issue, check the ESA Correlation log files for more information: /var/log/netwitness/correlation-server/correlation-server.log. |
|
After an update or upgrade to 11.3.0.2 or later, if I try to make an adjustment to some rules, I get an error when trying to save them. |
The Ignore Case option may be selected for a meta key that does not contain alphabetic values, such as IP address. |
In NetWitness Platform 11.3.0.2 and later, the Ignore Case option has been removed from the ESA Rule Builder - Build a Statement dialog for meta keys that do not contain text values. Adding Ignore Case on meta keys which do not contain alphabetic values causes additional processing to occur for no added benefit. In the ESA Rule Builder - Build a Statement dialog, check to see if you have any meta keys that do not contain alphabetic characters, for example, ip_src and ip_dst. If you do, clear the Ignore Case checkbox for those meta keys and try to save the rule again. |
| After an upgrade to 11.3.0.2 or later, I see a warning message in the ESA Correlation service log file showing a difference between the multi-valued and default-multi-valued parameter meta key values. Why? | You do not have the required meta keys on ESA Correlation that the Endpoint, UEBA, and Live content rules need to work. | If you want to use the latest Endpoint, UEBA, and Live content rules, add the necessary meta keys to the multi-valued and single-valued parameter fields. For detailed information and instructions, see "Update Your ESA Rules for the Required Multi-Value and Single-Value Meta Keys" in the ESA Configuration Guide. For example warning messages, see Example ESA Correlation Server Warning Message for Missing Meta Keys. |
| Meta keys marked as sensitive for data privacy are still included in notifications and alerts for some rules. | In ESA rules that do not select every piece of meta from the session (that is, using select *), you may see that data privacy (if enabled) and the Pivot to Investigate > Navigate link accessed from a context tooltip in the Respond Incident Details view does not work. |
The following steps apply to all released versions of NetWitness 11.3 and later. In 11.4 and later, you do not need to follow these steps for data privacy. However, you need to follow these steps if you want to enable the Pivot to Investigate > Navigate link accessed from a context tooltip in the Respond Incident Details view.
To do this, see Update any ESA Rule that Selects Only Certain Meta Keys from the Session to Include event_source_id. For NetWitness 11.4 and later, to resolve the data privacy issue, see How to Remove Sensitive Meta Keys Globally from All Alerts. |
|
The Pivot to Investigate > Navigate link does not work in a context tooltip accessed from Respond. |
In ESA rules that do not select every piece of meta from the session (that is, using select *), you may see that data privacy (if enabled) and the Pivot to Investigate > Navigate link accessed from a context tooltip in the Respond Incident Details view does not work. |
For NetWitness 11.3 and later (including 11.4), see Update any ESA Rule that Selects Only Certain Meta Keys from the Session to Include event_source_id. |
| I added a data source filter to the data sources in my ESA rule deployment. It was working fine and then all of a sudden, I stopped receiving alerts. | If there are any adjustments to an application rule on the Decoders that are mapped to the data sources used in your data source filter, the filter does not work for that rule since the application rule used in the filter no longer exists. |
The optional data source filter is available in NetWitness 11.5 and later. If an application rule linked to a data source filter is modified on a Decoder, the filter must be removed, added again, and redeployed. The changes take effect on ESA after the deployment is redeployed. |
|
I added a data source filter to the data sources in my ESA rule deployment and I see an "Invalid header size" error while communicating with Core services in the ESA Correlation log file. |
You are filtering out a large portion of the traffic and less sessions match the aggregation criteria. |
In the Explore view node list for an ESA Correlation service, select correlation > stream. Decrease the max-sessions parameter from 10,000 to a lower session count and restart the ESA Correlation service. For step-by-step instructions, see . |
| I created a rule using a Context Hub list and it was working properly, but suddenly, the rule stopped firing and ESA is not processing any rules. | If a Context Hub list that is used by ESA Correlation is renamed or deleted, ESA will not be able to access the list and may halt processing for all rules. |
Do not rename or delete a Context Hub list that is used in a deployed ESA rule. ESA Correlation will also not be able to access a Context Hub list if you delete it and then add it again with the same name while the rule is deployed. If you rename a Context Hub list or recreate the Context Hub list with the same name, update the ESA rules that use that Context Hub list, and then redeploy the ESA rule deployments that contain those rules. |
SMTP Notification Error ExampleSMTP Notification Error Example
The following SMTP notification error example is an excerpt from a correlation-server.log file, which shows an error message for sending notifications with unsupported templates. In this example, there is a rule that is configured with the GeoIP enrichment, which has a hash table as one of its fields (the GeoIPLookup meta). Because the default SMTP template is only designed to deal with metas that are either singular values or arrays that contain only singular values, such as "ip.src":"1.1.1.1" and "action":["fw:inbound-network-traffic"], sending the email notification fails due to the array containing a hash table.
FTL stack trace ("~" means nesting-related):
- Failed at: ${value!""} [in template "smtp.ftl" in macro "value_of" at line 1, column 152]
- Reached through: @value_of metadata[key] [in template "smtp.ftl" at line 85, column 141]
----
...
For "${...}" content: Expected a string or something automatically convertible to string (number, date or boolean), or "template output" , but this has evaluated to an extended_hash (LinkedHashMap wrapped into f.t.DefaultMapAdapter):
==> value!"" [in template "smtp.ftl" at line 1, column 154]
Integration-Server SMTP Notification Error ExampleIntegration-Server SMTP Notification Error Example
The following SMTP notification error example is an excerpt from an integration-server.log file, which shows a failure when the Integration-server attempts to send an email notification to the email notification server. In this case, you should check the email notification server configuration in the Global Notifications settings ( 
2019-10-09 18:53:42,015 [-SMTP-5c45c867e4b03b89a49b78ba] WARN Notification|SMTP dispatch failed (Reason: Sending the email to the following server failed : email.server.com:25)
2019-10-09 18:53:42,100 [-SMTP-5c45c867e4b03b89a49b78ba] WARN SystemOperation|Failed to forward ResolvedNotification{server=5c45c867e4b03b89a49b78ba, destination=5c45c854e4b03b89a49b78b9, content-length=30681}
java.lang.IllegalArgumentException: org.apache.commons.mail.EmailException: Sending the email to the following server failed : email.server.com:25
Example ESA Correlation Server Warning Message for Missing Meta KeysExample ESA Correlation Server Warning Message for Missing Meta Keys
If you see a warning message in the ESA Correlation server error logs for missing multi-valued meta keys, there is a difference between the default-multi-valued parameter and multi-valued parameter meta key values, and the new Endpoint, UEBA, and Live content rules will not work. The same is true for missing single-valued meta keys. Completing the "Update the Multi-Valued and Single-Valued Parameter Meta Keys for the latest Endpoint, UEBA, and RSA Live Content Rules" procedure in the ESA Configuration Guide should fix the issue.
Multi-Valued Warning Message ExampleMulti-Valued Warning Message Example
2019-08-23 08:55:07,602 [ deployment-0] WARN Stream|[alert, alert_id, browserprint, cert_thumbprint, checksum, checksum_all, checksum_dst, checksum_src, client_all, content, context, context_all, context_dst, context_src, dir_path, dir_path_dst, dir_path_src, directory, directory_all, directory_dst, directory_src, email_dst, email_src, feed_category, feed_desc, feed_name, file_cat, file_cat_dst, file_cat_src, filename_dst, filename_src, filter, function, host_all, host_dst, host_orig, host_src, host_state, ip_orig, ipv6_orig, OS, param, param_dst, param_src, registry_key, registry_value, risk, risk_info, risk_suspicious, risk_warning, threat_category, threat_desc, threat_source, user_agent] are still MISSING from multi-valued
Single Value Warning Message ExampleSingle Value Warning Message Example
2019-08-23 08:55:07,602 [ deployment-0] WARN Stream|[accesses, context_target, file_attributes, logon_type_desc, packets] are still MISSING from single-valued
Update any ESA Rule that Selects Only Certain Meta Keys from the Session to Include event_source_idUpdate any ESA Rule that Selects Only Certain Meta Keys from the Session to Include event_source_id
In ESA rules that do not select every piece of meta from the session (that is, using select *), you may see that data privacy (if enabled) and the Pivot to Investigate > Navigate link accessed from a context tooltip in the Respond Incident Details view does not work.
The following steps apply to all released versions of NetWitness 11.3 and later. In 11.4 and later, you do not need to follow these steps for data privacy, instead, see How to Remove Sensitive Meta Keys Globally from All Alerts. However, you need to follow these steps if you want to enable the Pivot to Investigate > Navigate link accessed from a context tooltip in the Respond Incident Details view.
Note: Do not use any Esper keyword as custom meta keys since this causes an error while creating an ESA Rule. For Esper keywords, see Reserved keywords.
- Update the index-concentrator-custom.xml file to include the ESA generated event_source_id meta key. If you do not add the meta key, ESA cannot recognize it and the rule will fail to deploy.
The following figure shows the file configured for the custom meta key "Event Source ID" with index settings of "IndexNone" with a format of "Text”.
<key description="Event Source ID" name="event_source_id" format="Text" level="IndexNone"/>
To save and deploy the new setting on the NetWitness host, select the Apply button. To force the change, restart the Concentrator service or you can wait until the next polling interval for the change to be recognized.
The XML file can also be deployed to other NetWitness hosts by clicking the Push button and selecting the destination NetWitness host. Only deploy the XML file to a NetWitness host that runs that service (that is, other Concentrators).
- Update any ESA rule that selects only certain meta from the session to include the ESA generated event_source_id meta key. Add the event_source_id meta key to the SELECT statement. See the following example rule.Copy
Example Rule with event_source_id
@RSAAlert
SELECT user_dst, reference_id, hostname, event_source_id FROM
Event(
device_class='Windows Hosts',
reference_id IN ('4624' , '4625'),
user_dst IS NOT NULL,
user_dst NOT LIKE '%$',
user_dst NOT IN ('ANONYMOUS LOGON','SYSTEM')
)
.win:time_batch(10 Minutes)
GROUP BY user_dst
HAVING COUNT(distinct hostname) >= 15; -
After the Concentrator changes takes effect, redeploy the ESA rule deployment that contains the ESA rule.
For additional information, see How ESA Handles Sensitive Data. For information on the stragegy and benefits of obfuscating data, see the Data Privacy Management Guide.
Steps to Troubleshoot Memory Issues with an ESA Service OfflineSteps to Troubleshoot Memory Issues with an ESA Service Offline
Step 1: Verify that your Host Is RunningStep 1: Verify that your Host Is Running
The first step to troubleshooting is to ensure that your host is running. To do this, go to
If your host is down, contact your NetWitness Administrator to restart it. Otherwise, go to Step 2.
Step 2: View Detailed Statistics in Health & WellnessStep 2: View Detailed Statistics in Health & Wellness
If your ESA service is down, you can go to Health & Wellness and view the last known metrics to see where potential issues are occurring. The most common problem is that your ESA service is exceeding memory thresholds, which causes it to stop or fail. In NetWitness 11.5 and later, see also View Health Statistics and Trends for ESA Correlation in New Health & Wellness.
-
Go to
- Correlation Server in Critical State
- Correlation Server in Unhealthy State
- Correlation Server Stopped
-
Go to
Host Component Category
<your host> Correlation Server Correlation Engine Metrics The name of the rule is in the Statistic column and the memory usage in bytes is in the Value column.
-
Click
to view a historical view of memory usage for the rule in the Historical Graph column.
-
In the System Stats Browser, you can also see details of your ESA Correlation service performance.
Select your host, and use the following filters to view the following statistics:
Host Component Category Statistic Example <your host> Host SystemInfo CPU Utilization 49.74% <your host> Host SystemInfo Memory Utilization 72.87% <your host> Host SystemInfo Used Memory 183.14 GB <your host> Host SystemInfo Total Memory 251.65 GB <your host> Host SystemInfo Uptime 289546, 3 days 8 hours 25 minutes 46 seconds <your host> Correlation Server Process jvm Memory Total Max 163 GB <your host> Correlation Server Process jvm
Memory Total Used
13.50 GB
<your host> Correlation Server ProcessInfo CPU Utilization 0.3% <your host> Correlation Server ProcessInfo Maximum Memory 251.65 GB <your host> Correlation Server ProcessInfo Memory Utilization 151.87 GB The following figure shows the location of the ESA Correlation service CPU and Memory Utilization statistics.
-
Click
The following figure shows the historical graph of CPU utilization.
The following figure shows the historical graph of Memory Utilization.
If you are having a problem with memory or CPU utilization, continue to step 3.
Step 3: Bring up your ESA ServicesStep 3: Bring up your ESA Services
- Go to
> Start.
- Return to the ESA Service to troubleshoot which rules have created memory issues.
If your ESA service is stopping and restarting in a loop, you may need to call Customer Support to get the services to start.
If you are able to start your ESA service without a shutdown, continue to step 4.
Step 4: Check the Alerts and Events VolumeStep 4: Check the Alerts and Events Volume
After you are able to restart your ESA service without an immediate shutdown, you can review the stats for your rules to see which rules are consuming too many resources. Sometimes, ESA services fail because a rule is generating too many alerts or a rule is matching too many events. Check for both of these issues if you have determined that memory usage is causing your ESA service to shut down.
View Alert SummariesView Alert Summaries
Rules that generate a high volume of alerts can overwhelm the system and cause it to fail or restart. To view the alert summaries, go to Respond > Alerts. In the Filters panel on the left, in the Alert Names section, select the alert name for the rule. The number of alerts with that name appears at the bottom of the Alerts list results. If the number is significantly high for a particular rule, you need to disable the rule and rewrite it to be more efficient.
To clear your filter, click Reset.
View Events MatchedView Events Matched
Sometimes a rule matches too many events, which can use up excessive memory. This typically occurs if you create a large event window where a great number of events accumulate without triggering an alert. This is a problem because each event is stored in memory while the rule waits for the alert to trigger. To check for this issue, go to 
Step 5: Disable and Repair the Rule that Caused IssuesStep 5: Disable and Repair the Rule that Caused Issues
Once you have determined the rules that need to be rewritten, disable them and rewrite rules so that they don't generate such a high volume of alerts or events. For pointers on how to write more efficient rules, see Best Practices.
Disable RulesDisable Rules
- To disable rules, go to
- Select Disable to disable the rules.
Edit RulesEdit Rules
- To repair the rules, go to
- For each rule that you repair, do the following:
- Select the rule to edit and then select
- Edit the rule to be more efficient. For instructions on creating rules, see Add Rules to the Rule Library
- When you are satisfied with your rule, you can save the rule as a trial rule to ensure that any memory issues do not affect ESA services performance. To do this, follow the steps listed in Working with Trial Rules.
- Select the rule to edit and then select
Deploy RulesDeploy Rules
To deploy rules, see topic Create a Deployment in the Live Services Management Guide.
Verify that the Rules are EnabledVerify that the Rules are Enabled
After you deploy the ESA rules, they should automatically show as enabled. If not, you can enable the rules.
- Go to
- On the deployment tab for the deployment that contains the rules, in the Deployed Rule Stats section, look at the status of the rules in the Enable column. Enabled rules show a green circle. If the rules show a white circle, you can enable the rules.
- To enable rules, select the rules you want to enable and select Enable above the table.
(Optional) Check the ESA Correlation Log Files for More Information(Optional) Check the ESA Correlation Log Files for More Information
Once you verify that your services are down and some potential causes for the system going down, check to see if the service is stopping and restarting in a loop. To do this, go to the ESA Correlation logs. You can use SSH to get in the system and go to: /var/log/netwitness/correlation-server/correlation-server.log.
ESA Rule Troubleshooting with Nw-ShellESA Rule Troubleshooting with Nw-Shell
Note: This procedure applies to NetWitness Platform 11.3 and later versions.
The ESA Correlation service replaces the Event Stream Analysis service in NetWitness version 11.3 and later. As a result of this change, some settings are no longer available in the user interface. In addition to the standard troubleshooting methods available, you can use the nw-shell utility to perform advanced troubleshooting of the ESA Correlation service and rules. For detailed information on the nw-shell utility, see the NetWitness Shell User Guide.
- Find Your Engine Name for Nw-Shell
- Connect to an ESA Correlation Server
- View the Contents of a Named Window
- See the Method Input and Output
Find Your Engine Name for Nw-ShellFind Your Engine Name for Nw-Shell
Follow these steps to find your engine name using your ESA rule deployment name. Your engine name is required for ESA Nw-Shell troubleshooting. Locate the names of each deployment that you plan to troubleshoot.
- In the NetWitness UI, go to
- In the System Stats Browser, use the following filters and then click Apply.
- Host: Select your ESA host.
- Component: Select Correlation Server.
- Statistic: Type - Name (put a space between the dash and name).
- In the Statistic column, locate your deployment followed by - Name. The name in the Value field is YOUR ENGINE NAME.
In the above example, the deployment name is DeploymentA and the engine name is deployment-a-sa-managed.
Connect to an ESA Correlation ServerConnect to an ESA Correlation Server
- Log in to nw-shell:
- Connect via SSH to the NW server (head unit).
- After logging in and getting the command prompt, type nw-shell.
- Connect to ESA:
- Go to your ESA physical host and type the command:
cat /etc/netwitness/correlation-server/service-id - Go back to the NW server and nw-shell and connect to the correlation server:
connect --service correlation-server.ID
- Go to your ESA physical host and type the command:
- Log in to ESA with the admin user credentials.
- Type login.
- Enter the username and password of the admin user.
View the Contents of a Named WindowView the Contents of a Named Window
Use the execute-query method to view the contents of a named window.
- After you are connected to the ESA correlation service and authenticated, type:
cd /rsa/correlation/engine/execute-query - Type invoke '{"engineName":"<YOUR ENGINE NAME>", "query":"<YOUR QUERY>"}
- Where <YOUR ENGINE NAME> = the engine name that you located in Find Your Engine Name for Nw-Shell.
- Where <YOUR QUERY> = the select statement into the named window.
- Where <YOUR ENGINE NAME> = the engine name that you located in Find Your Engine Name for Nw-Shell.
Example: invoke '{"engineName":"esa-sa-managed", "query":"select * from UserLoginProfile"}'
See the Method Input and OutputSee the Method Input and Output
Type show at the command line to see the input and output expected. All method invocation must be prefaced by invoke.
Obtain Correlation Server Metrics for ESA Rule Deployment Troubleshooting Using Nw-ShellObtain Correlation Server Metrics for ESA Rule Deployment Troubleshooting Using Nw-Shell
Note: This procedure is available in NetWitness Platform version 11.4.1 and later.
You can use Nw-Shell to view ESA Correlation Server metrics for each of your ESA rule deployments. These metrics show the number of sessions behind for the deployment data sources as well as the memory usage for the rules in the deployment.
- Find the engine name to use for Nw-Shell. See Find Your Engine Name for Nw-Shell.
- Connect to an ESA Correlation Server. See Connect to an ESA Correlation Server.
- After you are connected to the ESA correlation service and authenticated, type:
cd /rsa/correlation/service/stats/get-condensed-metrics - Type invoke '<YOUR ENGINE NAME>'
Where <YOUR ENGINE NAME> is the engine name that you located in Find Your Engine Name for Nw-Shell.
Here is an example of the metrics output that you can obtain for your ESA rule deployment:
