|Applies To||RSA Product Set: NetWitness Logs and Packets|
RSA Product/Service Type: Event Stream Analysis (ESA)
RSA Version/Condition: 10.6, 11.0, 11.1, 11.2, 11.3
O/S Version: EL6, EL7
|Issue||An ESA rule is disabled after being deployed to the ESA service and reports the error below.|
ESA was unable to deploy one or more rules, and these rules were disabled. Common issues include: missing metadata, invalid rule syntax, and unavailable external connections at the time of deployment.
The ESA log level WARN contains the following message:
|Cause||Within the ESA service some meta keys were changed from a string type to a multi-valued type. This affected the following rules:|
To change the string type meta keys to string array type meta keys in RSA NetWitness Logs and Packets 11.3, see “Configure Meta Keys as Arrays in ESA Correlation Rule Values” in the ESA Configuration Guide for RSA NetWitness® Platform 11.3.
RSA NetWitness Logs and Packets 11.3
To deploy custom ESA rules using the above listed meta keys, the rules must be updated to use the array syntax and then redeployed. For example:
RSA NetWitness Logs and Packets 11.2 and Prior
To deploy RSA Live ESA rules using these keys, the meta keys must be added to the ESA service using the multi-valued type. In addition, any custom ESA rules using these meta keys must be updated to use array syntax. The steps below explain how to add the meta keys to the ESA service with the multi-valued type.