7 Replies Latest reply on May 28, 2019 3:54 PM by jrouviere

    Email Alerting stopped




      My email alerting stopped for my rules.  I checked the diskusage and the EPIC rules queue is backed up.  How do clear this?


      cmc::acm# diskusage

      Checking Disk Usage (this could take a moment)... ....oo.oo.oo.oo.oo.oo.oo.

      Partition Disk Usage:

              LEM:             70% (2.0G/3.0G)

              OS:              38% (1.1G/3.0G)

              Logs/Data:       52% (976G/2.0T)

              Temp:            12% (680M/5.9G)

      Database Queue(s): 4.0K (No alerts queued, 459 alerts waiting in memory)

      Rules Queue: 2.1M (0 alerts queued, 0 alerts waiting in memory)

      Alert Errors: 21M

      Console Queue: 2.1M (0 alerts queued, 0 alerts waiting in memory)

      DataCenter Queue: 2.1M (0 alerts queued, 0 alerts waiting in memory)

      EPIC Rules Queue: 503M (1300000 alerts queued, 1200000 alerts waiting in memory)

      Forensic Database Queue: 2.1M (0 data queued, 0 data items waiting in memory)

      Logs: 801M

      Tool Profiles Message Queue: 2.1M (0 alerts queued, 0 alerts waiting in memory)

        • Re: Email Alerting stopped

          Just as a precaution check your Email Active Response connector configuration settings to see if there is anything wrong.

          I know there is a command in cmc to operate the configurations of the appliance logs.I hope somebody will stop by with an answer to this.

          • Re: Email Alerting stopped

            I have had the same problem repeatedly over the past year or so... cases 693580 and 739367... I always end up having to reboot the appliance because I can't leave it down waiting for a response to the ticket. Sometimes restarting the manager helps but there doesn't appear to be an actual fix. Past suggestions have been rule issues, but these have been modified or disabled so I'm not sure what else to try. Email Active Response connector is turned on.

            • Re: Email Alerting stopped

              I am still seeing this issue too.  I there a resource modification I can do to alleviate the problem?

                • Re: Email Alerting stopped

                  If your diskusage looks anything like the OP then you've most likely got a rule configuration issue.


                  Especially if the Rules Queue or Epic Rules Queue is maxed out like the OP then you have a few things:


                  1. If you remember the last rule(s) you worked on disable it.
                  2. If you don't, you can check for InternalRuleFired or InternalTestRule events to see what is triggering the most.
                  3. If the issue's been going on for a while you can restart the manager service and then check step 2 to see what rule is running off with the LEM.


                  If you need any help with these steps Support will be able to assist you. Most likely it's a rule configuration/correlation causing the rule to fire too frequently and fill up the Queue.