Clean Notifications (from ESM)
We've been testing some rules(with send notification as action, the notifications does not need to ack), and this rule fired many times,
as a result We received many notifications and the email "ArcSight - Discarding Notifications"(to prevent flooding), the question is, is the destination still disabled?
Also, as the destination were blocked, the rest of the notifications went to the 'Notifications' (From ESM > Acknowledge Notifications), in the section underivable, I understand this, but I'd like to clean this section, I selected the notifications in this sections and clicked on acknowledge, but nothing happens, the notifications persists in this section. However in the other sections, I still having old notifications. Is there a way to clean these sections?
The version I'm using is the 5.0.1,
Thanks for your reply, to sum up what you do in this walkarround is delete the notifications from the DB,
delete from arc_notification_history;
delete from arc_notification_registry;
However, firstly you have to stop the manager, and this is critical for us, is there another way?
Stop everything then start MySql - I had to do this this morning when clearing out the notifications.
This is how I did it (I was root at the time)
/etc/init.d/arcsight_services stop all
/etc/init.d/arcsight_services start mysqld
truncate table arc_notification_history;
truncate table arc_notification_registry;
/etc/init.d/arcsight_services start all
Thanks for your reply, I can apreaciate that is a similar solution, stop everything firstly, clear them directly from the database(in your case, MySql), and then start it again. I also think that you did it on the Logger(I want to clear notifications from the ESM), but anyway thank you, it could be useful for others.
is there a way to clean the notifications from the ESM that doesn't require stop the services?(stop the mannager is quite critical for us)
This was ESM 6.5c. If you truncate the table while the database is running you may get some mis-matches and corrupt the installation. I did this because we had over 50K entries per user that needing cleaning out, and it was much faster. It was only down a few minutes of downtime and we just piled up the events. I am not sure how to do it in 5.0.
The previous replies above I think had it also. You can just do a delete sql statement for events matching.
Good luck, let us know if you solved it so those after us can find the solution too!
I have realized that the notifications has gone, with no action taken! (at the begining were arround 300)
I think that depending of the Threat-priority the notifications expires sooner or later.
Thanks for your replies, I bear on mind if it happens again(I hope not!), also We are planning to migrate to ESM 6.X, as 5.0 is going to be unsupported,
Your solution was very good. But i want to know if there is a way to increase notification limit from 100 to 200 or more.
I did some solutions like, set the values in server.properties file in /opt/arcsight/manager/config.
But it didn't work. I have a software logger though it might be work for appliance logger.
Can you help me regarding this or anybody have solution for this ?
Thanks in Advance
This should work for you like you tried.
I would just modify this one line and not add the time_window as I think 1 day is default.
You can look up the defaults in /opt/arcsight/manager/config/server.defaults.properties
Remember you need to restart the manager after making these changes.
Thanks for your reply,
I want to make some point as this line (notification.aggregation.max_notifications=1000) was not present in the defaults properties file.
I have added these two lines after seeing your answer, but nothing happened. Still my ESM disabled after 100 notifications, then I have to truncate table or wait for next day.
I have Software ESM 6.8.
Could you please help me regarding this, I will be very thankful to you.