000038138 - Cannot Access custom Esper Java Libraries in RSA NetWitness Platform 11.3

Document created by RSA Customer Support Employee on Nov 20, 2019Last modified by RSA Customer Support Employee on Feb 10, 2020
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000038138
Applies ToRSA Product Set: NetWitness Platform
RSA Product/Service Type: ESA host/ESA Correlation service
RSA Version/Condition: 11.3.x
IssueIn RSA NetWitness Platform version 11.3.x, it is slightly more difficult to enable custom Esper Java libraries for those customers who have built their own EPL extensions in Java.  For those customers, upgrading to 11.3.x can create an issue with their alerts that previously used their custom EPL extensions. Without the extended rules (Esper + Java Libraries), customers do not have full visibility of some pattern detection which increases noise for their Analysts, decreasing their productivity.
 
WorkaroundThe known fix for this issue is as follows:
  1. For NetWitness Platform 11.3.x, ensure that the custom library JAR file and all the sources are compiled in JDK 1.8.
  2. SSH to the Event Stream Analysis (ESA) server and login with root/user credentials.
  3. Modify the JAVA_OPTS variable in /etc/netwitness/correlation-server/correlation-server.conf and add the parameter -Dloader.path=<path to jar file/folder that contains the custom java code> to load the new java class files. See the following example.


JAVA_OPTS="XX:+UseG1GC -Djava.security.egd=file:/dev/./urandom ${JAVA_MAX_HEAP_GB:-Xmx164G} -Dloader.path=/opt/rsa/lib/myjar/ -javaagent:/var/lib/netwitness/esper-enterprise/esperee-utilagent-8.2.0.jar"


  1. Save and exit the correlation-server.conf
  2. Copy the attached esper-config.xml file to a local folder on the ESA server. The preferred folder is /opt/rsa/lib for containing this file.
  3. Modify the esper-config.xml file in the local folder to include the custom functions created in the Java code.
  4. In NetWitness Platform, go to Admin > Services, select the ESA Correlation service, and then select Action (Red Gear) > View > Explore. In the Explore view node list on the left side, select correlation > esper.
  5. Edit config-resource and change the path to the local ESA folder that contains the esper-config.xml file. See the following example.


file:/opt/rsa/lib/esper-config.xml


  1. Restart the Correlation service.
    • From the UI, go to Admin > Services, select the ESA Correlation service, and then select Action (Red Gear) > Restart.
    • From the command line:


systemctl restart rsa-nw-correlation-server
NotesFor the RSA NetWitness 11.4 version of this article, 000038138 - Cannot Access Custom Esper Java Libraries for RSA NetWitness Platform's Event Stream Analysis

Outcomes