on May 22, 2019Article Content
| Article Number | 000037478 |
| Applies To | RSA Product Set: NetWitness Logs & Network RSA Product/Service Type: Core Appliance, Health & Wellness, ESA RSA Version/Condition: 11.3.0.0 Platform: CentOS O/S Version: 7 |
| Issue | After upgrading to NetWitness 11.3 Health & Wellness shows the ESA Event Stream Analysis service is stopped. |
| Tasks | The NetWitness ESA Event Stream Analysis service is now replaced by the ESA Correlation service in NetWitness 11.3. See What's New for Event Stream Analysis (ESA) in Release Notes for RSA NetWitness Platform 11.3 The ESA Correlation service in NetWitness Platform 11.3 replaces the Event Stream Analysis service found in previous versions. For NetWitness environments upgrading to 11.3, Health & Wellness continues to run the Event Stream Analysis Monitoring Policy in consideration of backward compatibility and mixed mode environments. For newly installed NetWitness 11.3 systems, the Health & Wellness Event Stream Analysis Monitoring Policy won't be installed out-of-the-box (OOTB). |
| Resolution | Confirm in the NetWitness UI that the expected 11.3 ESA services are running. For ESA Primary the services are:
 For ESA Secondary the services are:
If the correct 11.3 ESA services are running then disable the ESA Event Stream Analysis service Health & Wellness policy. In the NetWitness UI, Health & Wellness, Policies tab Under Policies on the left open Event Stream Analysis Monitoring Policy Un-tick the Enable at the top of this policy and Save.  The alert in Health & Wellness for the ESA Event Stream Analysis service should then go away. |