Mitigator Memory Increasing Daily in RSA Web Threat Detection 5.1
Originally Published: 2016-03-24
Article Number
Applies To
RSA Product/Service Type: Mitigator
RSA Version/Condition: 5.1
Platform: CentOS
Issue
Example customer statement:
Consumption of machine memory is increasing daily and causing alerts issue occurs when it is longer than 2 weeks v5.1.1.5
Error Message: none Recent
Changes: none
Business Impact: SEV 2, partner requested, unknown impact
Tasks
1. View the Varz Graph, looking at memory utilization.
2. Go to the Schema and look at the 'Mitigator' configuration, look for WindowSize and check the settings.
If they are not seen, push 'Edit' to see if the default setting is there. (This would only appear on Edit if it was never changed from default in the past.)
3. Go to rules, and ask the Customer if they are using a lot of rules with wildcards ' * '.
This tends to cause extra memory consumption due to the need to keep all pages in memory for each attribute, i.e., for each click.
4. Ask the Customer if they have a lot of testing going on in their environment that may cause spikes of many hits on only one or two IP addresses.
Resolution
Depending on what is seen for the schema in the configuration manager, they may have the default setting of 24 hours and 1 'pane'.
Our R&D research has shown that this default setting can be 'tuned' for improved response,
e.g., seeing memory being released and not growing as large day to day.
(Take a look at the VARZ graph for the Mitigator memory and look for steady trends in increased memory. This would indicate
that default settings are in place as not enough memory is being released with the current setting. There may be sharp decreases
when the service is restarted, which releases memory, but it is still followed by a steady rise, as just release the memory does not resolve the issue.)
If a change is needed, it should be gradual, made in small increments and observed over several days. Recommend a window change to 12 hours
and keep the setting of 1 pane. Tell the Customer that they should see more memory being released after 3 or 4 days and steadier,
more even day to day utilization, rather than a sharply rising graph.
2. Ask the Customer to continue to work on the Rules and IP Filters.
These steps will take time for the Customer to research, change and observe for improvement.
You may be able to close the case at this time, and have them reopen if needed.
Related Articles
How to run a SQL query report on several UserIDs with a wildcard in RSA Authentication Manager 8.x Number of Views Remote Administration failing with one of several listed errors Number of Views Rename an end entity certificate so reissued certificate name is not appended with -1 Number of Views MSIE cannot link to revoke or re-issue from the enrollment server Number of Views Overview of the token statistics page for RSA Authentication Manager 8.x Number of Views
Trending Articles
How to manipulate imported RSA SecurID Software Token(s) on an iPhone or iPad device Artifacts to gather in RSA Identity Governance & Lifecycle RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide How to Download OTP Token Seed Files from myRSA
Don't see what you're looking for?
