Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000038138 - Cannot access custom Esper Java Libraries in RSA NetWitness Platform 11.3

Document created by RSA Customer Support

on Nov 20, 2019•Last modified by RSA Customer Support

on Mar 16, 2020

Version 7Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000038138
Applies To	RSA Product Set: NetWitness Platform RSA Product/Service Type: ESA host/ESA Correlation service RSA Version/Condition: 11.3.x
Issue	In RSA NetWitness Platform 11.3.x, it is slightly more difficult to enable custom Esper Java libraries for those customers who have built their own EPL extensions in Java. For those customers, upgrading to 11.3.x can create an issue with their alerts that previously used their custom EPL extensions. Without the extended rules (Esper + Java Libraries), customers do not have full visibility of some pattern detection which increases noise for their Analysts, decreasing their productivity.
Workaround	The known fix for this issue is as follows: For RSA NetWitness Platform 11.3.x, ensure that the custom library JAR file and all the sources are compiled in JDK 1.8. SSH to the Event Stream Analysis (ESA) server and login with root/user credentials. Modify the JAVA_OPTS variable in /etc/netwitness/correlation-server/correlation-server.conf to add the parameter -Dloader.path=<path to jar file/folder that contains the custom java code> to load the new java class files. See the following example: JAVA_OPTS="XX:+UseG1GC -Djava.security.egd=file:/dev/./urandom ${JAVA_MAX_HEAP_GB:-Xmx164G} -Dloader.path=/opt/rsa/lib/myjar/ -javaagent:/var/lib/netwitness/esper-enterprise/esperee-utilagent-8.2.0.jar" Save and exit the correlation-server.conf. Copy the attached esper-config.xml file to a local folder on the ESA server. The preferred folder is /opt/rsa/lib for this file. Modify the esper-config.xml file in the local folder to include the custom functions created in the Java code. In NetWitness Platform, Go to Admin > Services. Select the ESA Correlation service. Select Action (Red Gear) > View > Explore. In the Explore view node list on the left side, select Correlation > Esper. Edit config-resource and change the path to the local ESA folder that contains the esper-config.xml file. See the following example: file:/opt/rsa/lib/esper-config.xml Restart the Correlation service: From the UI, go to Admin > Services, select the ESA Correlation service. Select Action (Red Gear) > Restart. From the command line, type the following and press Enter: systemctl restart rsa-nw-correlation-server
Notes	For the RSA NetWitness 11.4 version of this article, see 000038371 - Cannot access custom Esper Java libraries in RSA NetWitness Platform 11.4

Attachments

esper_config_11.3.x.xml.zip1.1 KB

Outcomes

0 Comments

Recommended Content

Incoming Links