000038371 - Cannot access custom Esper Java libraries in RSA NetWitness Platform 11.4.x and Later

Document created by RSA Customer Support Employee on Jan 27, 2020Last modified by RSA Customer Support Employee on Aug 26, 2020
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000038371
Applies ToRSA Product Set: NetWitness Platform
RSA Product/Service Type: ESA host/ESA Correlation service
RSA Version/Condition: 11.4.x and later

 
IssueIn RSA NetWitness Platform 11.4.x and later, it is slightly more difficult to enable custom Esper Java libraries for those customers who have built their own EPL extensions in Java. For those customers, upgrading to 11.4.x and later can create an issue with their alerts that previously used their custom EPL extensions. Without the extended rules (Esper + Java libraries), customers do not have full visibility of some pattern detection which increases noise for their analysts, decreasing their productivity.
WorkaroundThe known fix for this issue is as follows:
  1. For RSA NetWitness Platform 11.4.x and later, ensure that the custom library JAR file and all the sources are compiled in JDK 11.
  2. SSH to the ESA host and login with your ESA host credentials.
  3. Modify the JAVA_OPTS variable in /etc/netwitness/correlation-server/correlation-server.conf, and add the parameter -Dloader.path= to load new java class files, as shown in bold:

JAVA_OPTS="XX:+UseG1GC -Djava.security.egd=file:/dev/./urandom ${JAVA_MAX_HEAP_GB:-Xmx164G} -Dloader.path=/opt/rsa/lib/myjar/ -javaagent:/var/lib/netwitness/esper-enterprise/esperee-utilagent-8.2.0.jar"


  1. Save and exit the correlation-server.conf file.
  2. Copy the attached esper-config.xml file for the version of NetWitness being used to a local folder, remembering to rename the file to esper-config.xml.
  3. Modify the esper-config.xml file in the local folder to include the custom functions created in the Java code.
  4. In the RSA NetWitness Platform UI,
    1. Go to Admin > Services.
    2. Select the ESA Correlation service.
    3. Select Actions > View > Explore.
    4. In the Explore view node list on the left side, select correlation > esper.
  5. Edit config-resource and change the path to the local folder that contains the esper-config.xml file:

file:/opt/rsa/lib/esper-config.xml


  1. Restart the Correlation service.

  • From the UI,
    1. Go to Admin > Services.
    2. Select the ESA Correlation service.
    3. Select Actions > Restart.
  • From the command line, run:

systemctl restart rsa-nw-correlation-server
NotesFor the RSA NetWitness 11.3 version of this article, see 000038138 - Cannot Access Custom Esper Java Libraries for RSA NetWitness Platform's Event Stream Analysis
 

Outcomes