Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Alerting: Troubleshoot ESA

Document created by RSA Information Design and Development Employee on Jan 30, 2020Last modified by RSA Information Design and Development Employee on Jul 14, 2020
Version 3Show Document
  • View in full screen mode
 

This section describes common issues that may occur while using ESA, and it suggests common solutions to these problems.

Troubleshoot ESA Correlation Services

                       
ProblemPossible CausesSolutions

On the NetWitness Platform Dashboard, the ESA service appears in red to indicate it is offline.

In the Configure > ESA Rules view, the following message appears: "The Service is either offline or not reachable."

Several

When an ESA Correlation service is offline, there are many possible causes. However, a common issue is that you have created a rule that uses excessive memory and causes the ESA service to fail. To troubleshoot this problem, see Steps to Troubleshoot Memory Issues with an ESA Service Offline.

Other common causes might be that your firewall is blocking the connection between the ESA and NetWitness Platform, or the ESA Correlation service machine may be down.

To bring up ESA Services:

Go to Admin > Services, select your ESA service, and then select Actions icon Start.

If your ESA service is stopping and restarting in a loop, you may need to call Customer Support to get the services to start.

After a recent upgrade, the ESA service appears in red on the NetWitness Platform Dashboard to indicate it is offline.

In the Configure > ESA Rules view, the following message appears: "The Service is either offline or not reachable."

Configuration issues

If your system has been recently upgraded, you may have made a configuration error.

Go to Admin > Services, select your ESA service and then select Actions icon > Edit. In the Edit Service dialog, click Test Connection. If the connection fails, you likely have a configuration error. Attempt to fix your configuration error and try again.

Troubleshoot RSA Live Rules for ESA

                       
ProblemPossible CausesSolutions
I imported a group of rules from RSA Live, and now my ESA service is crashing. Why?You may not have configured the parameters for the RSA Live rule to tune it for your environment. 

Each rule in RSA Live has a description that includes the parameters you must configure and prerequisites for your environment. Review this description to see if the rule is appropriate for your environment.

To ensure that you deploy rules safely in your environment, configure new rules as trial rules to test them in your environment. Trial rules add a safeguard for testing new rules. For details on this, see Deploy Rules as Trial Rules.

I imported a group of rules from RSA Live, and while the rules deployed without errors, they were later disabled.

Not all RSA Live rules are meant for every environment. You may not have the correct meta in your ESA for the rule to run.

You can verify that a rule was disabled by going to Configure > ESA Rules > Services > Deployed Rule Stats. If the rule is disabled, the green icon does not display next to the rule. 

If a rule deployed correctly but was disabled, check the logs for exceptions related to the rule. Specifically, check to see if the rules were disabled due to missing meta. To do this, go to the ESA Correlation logs. You can use SSH to get in the system and go to: /var/log/netwitness/correlation-server/correlation-server.log.

Then, search for a message similar to the following:

"Property named ‘<meta_name>' is not valid in any stream"

For example, you might see:

Failed to validate filter expression '(medium=1 and streams=2 or medium=3...(238 chars)': Property named 'tcp_flags_seen' is not valid in any stream

If a similar message displays, you may need to add a custom meta key to the Log Decoder or Concentrator. To do this, follow these instructions: "Create Custom Meta Keys Using Custom Feed" in the Decoder and Log Decoder Configuration Guide.

Troubleshoot ESA Rules

                                                                    
ProblemPossible CausesSolutions

I have an ESA rule that is not getting deployed and is not creating alerts.

A meta key that the rule uses is a string array type, but it shows as a string type on ESA.

Check to see if any string array meta keys that the rule uses are configured as string array types on ESA. Go to Configure > ESA Rules > Settings tab (Meta Key References).

  • If it shows string[], it is configured as a string array type on ESA. This is fine.
  • If it shows string without the brackets, it is configured as a string type and you need to fix it on ESA.

In the ESA Correlation service Explore view, go to correlation/stream. Add string array meta keys to the multi-valued list to allow them to be used as an array in ESA rules. Go back to the Meta Key References and click the refresh icon (Meta Re-Sync (Refresh) icon). Verify that the meta keys with a string array type show a value of .string[]. For additional details, see "Configure Meta Keys as Arrays in ESA Correlation Rules" in the ESA Configuration Guide.

I created a rule, and I checked the syntax. The rule looked fine. When I went to deploy the rule, I got an error. Why?You may not have the correct meta to deploy the rule. 

Check the Meta Key References. You may not have the correct meta to deploy the rule. Check the ESA Correlation service log files to see which meta keys are missing: /var/log/netwitness/correlation-server/correlation-server.log

In NetWitness Platform version 11.3.0.2 and later, you can check the ESA rule status in the ESA rule deployment (Go to Configure >ESA Rules > Rules tab. In the options panel on the left, select a deployment and look in the ESA Rules section). If a disabled rule has an error message, it shows ESA disabled rule error message icon in the Status field. Hover over the rule to view the error message tooltip.

Disabled rule tooltip showing an error message 

In the above example, the error message shows: "Failed to resolve event type: Event type or class named "Host_Whitelist" was not found." In this case, a Context Hub list called "Host_Whitelist" that is used by the rule is not available. For more information on context hub lists, see the Context Hub Configuration Guide.

For more information, see the ESA Rules section of the Deployment Panel reference.

I set up notifications for a rule, but we are not receiving them. The correlation-server.log file does not show any errors. Why?

Correlation-server successfully sent the notification messages to integration-server, but when integration-server tried to send the notifications to their destination, it failed.

When troubleshooting notifications, check both the ESA Correlation service log files (/var/log/netwitness/correlation-server/correlation-server.log) AND the Integration-Server log files on the NetWitness Server (/var/log/netwitness/integration-server/integration-server.log). For an example, see Integration-Server SMTP Notification Error Example.

Note: For any notification-related troubleshooting, check the integration-server log file in addition to the log file of the service creating the notification.

I created a rule with an enrichment, added an SMTP notification, and deployed my rule. We are not receiving SMTP notifications. Why?

You do not have a template that met the criteria to parse the events.

Check the ESA Correlation service log files to see if the SMTP notification failed: /var/log/netwitness/correlation-server/correlation-server.log. For more details on the notification error, check the Integration-Server log file on the NetWitness Server (also known as Node 0, Admin server, or NWServer): /var/log/netwitness/integration-server/integration-server.log.

If you use an ESA rule that has an enrichment, such as a Context Hub list, you must create a custom template. You can duplicate a default template and adjust it for your enrichment. See SMTP Notification Error Example below for a notification error example.

For information on creating a custom ESA template, see "Define a Template for ESA Alert Notifications" in the System Configuration Guide.

Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.

I created a custom rule (via the Rule Builder or Advanced EPL), and my rule is not firing. Why?You may have connectivity issues.

Check the Offered Rate statistic on the Configure> ESA Rules>Services tab. Select the ESA service and then look at the statistics on the tab for the Deployment.

If the Offered Rate is zero, then the ESA service is not receiving data from Concentrators. Check the ESA Correlation log files for connectivity issues: /var/log/netwitness/correlation-server/correlation-server.log.

If the offered rate is not zero, the meta key name and type used in the rule likely doesn't match the meta key present in events. Check to see if the meta key name and type used in the rule is valid by searching for the meta key name in Configure>ESA Rules>Settings tab (Meta Key References).

I created a custom rule (via the Rule Builder or Advanced EPL), and my rule is not firing. Why?There may be a problem with the rule.If a specific rule is not firing, go to Configure>ESA Rules>Services to see if the rule was disabled. In the Deployed Rule Stats section, a rule that is disabled displays a clear enabled button (instead of the green enabled button).

You can also check Events Matched field. Go to Configure >ESA Rules> Services. From there, you can see the number of events that were matched in the Events Matched column.

If no events matched, check the logic of your rule for errors. For example, check the syntax for uppercase and lowercase errors, and check the time window. If the rule still doesn't fire, consider simplifying the logic of the rule to see if it fires when there is less complexity. 

After a recent upgrade, I am not seeing alerts and I am seeing disabled rules.There may be a problem with the ESA rule deployment.

Deploy the ESA rule deployments again. ESA Rule Deployment Steps provides more information on deploying rules using the ESA Correlation service.

If this does not resolve the issue, check the ESA Correlation log files for more information: /var/log/netwitness/correlation-server/correlation-server.log.

After an update or upgrade to 11.3.0.2 or later, if I try to make an adjustment to some rules, I get an error when trying to save them.

The Ignore Case option may be selected for a meta key that does not contain alphabetic values, such as IP address.

In NetWitness Platform 11.3.0.2 and later, the Ignore Case option has been removed from the ESA Rule Builder - Build a Statement dialog for meta keys that do not contain text values. Adding Ignore Case on meta keys which do not contain alphabetic values causes additional processing to occur for no added benefit.

In the ESA Rule Builder - Build a Statement dialog, check to see if you have any meta keys that do not contain alphabetic characters, for example, ip_src and ip_dst. If you do, clear the Ignore Case checkbox for those meta keys and try to save the rule again.

After an upgrade to 11.3.0.2 or later, I see a warning message in the ESA Correlation service log file showing a difference between the multi-valued and default-multi-valued parameter meta key values. Why?You do not have the required meta keys on ESA Correlation that the Endpoint, UEBA, and Live content rules need to work.If you want to use the latest Endpoint, UEBA, and Live content rules, add the necessary meta keys to the multi-valued and single-valued parameter fields. For detailed information and instructions, see "Update Your ESA Rules for the Required Multi-Value and Single-Value Meta Keys" in the ESA Configuration Guide.
For example warning messages, see Example ESA Correlation Server Warning Message for Missing Meta Keys.
Meta keys marked as sensitive for data privacy are still included in notifications and alerts for some rules. In ESA rules that do not select every piece of meta from the session (that is, using select *), you may see that data privacy (if enabled) and the Pivot to Investigate > Navigate link accessed from a context tooltip in the Respond Incident Details view does not work.

The following steps apply to all released versions of NetWitness 11.3 and later. In 11.4 and later, you do not need to follow these steps for data privacy. However, you need to follow these steps if you want to enable the Pivot to Investigate > Navigate link accessed from a context tooltip in the Respond Incident Details view.

  1. Add the ESA generated event_source_id meta key to the index-concentrator-custom.xml file.
  2. Add the event_source_id meta key to the SELECT statement within any ESA rule that does not select every piece of metadata from the session.
  3. After the Concentrator changes take effect, redeploy the ESA rule deployment that contains the ESA rule.

To do this, see Update any ESA Rule that Selects Only Certain Meta Keys from the Session to Include event_source_id.

For NetWitness Platform 11.4 and later, to resolve the data privacy issue, see How to Remove Sensitive Meta Keys Globally from All Alerts.

The Pivot to Investigate > Navigate link does not work in a context tooltip accessed from Respond.

In ESA rules that do not select every piece of meta from the session (that is, using select *), you may see that data privacy (if enabled) and the Pivot to Investigate > Navigate link accessed from a context tooltip in the Respond Incident Details view does not work.

For NetWitness Platform 11.3 and later (including 11.4), see Update any ESA Rule that Selects Only Certain Meta Keys from the Session to Include event_source_id.

SMTP Notification Error Example

The following SMTP notification error example is an excerpt from a correlation-server.log file, which shows an error message for sending notifications with unsupported templates. In this example, there is a rule that is configured with the GeoIP enrichment, which has a hash table as one of its fields (the GeoIPLookup meta). Because the default SMTP template is only designed to deal with metas that are either singular values or arrays that contain only singular values, such as "ip.src":"1.1.1.1" and "action":["fw:inbound-network-traffic"], sending the email notification fails due to the array containing a hash table.

FTL stack trace ("~" means nesting-related):

- Failed at: ${value!""} [in template "smtp.ftl" in macro "value_of" at line 1, column 152]

- Reached through: @value_of metadata[key] [in template "smtp.ftl" at line 85, column 141]

----

...

For "${...}" content: Expected a string or something automatically convertible to string (number, date or boolean), or "template output" , but this has evaluated to an extended_hash (LinkedHashMap wrapped into f.t.DefaultMapAdapter):

==> value!"" [in template "smtp.ftl" at line 1, column 154]

Integration-Server SMTP Notification Error Example

The following SMTP notification error example is an excerpt from an integration-server.log file, which shows a failure when the Integration-server attempts to send an email notification to the email notification server. In this case, you should check the email notification server configuration in the Global Notifications settings (Admin > System > Global Notifications > Servers tab).

2019-10-09 18:53:42,015 [-SMTP-5c45c867e4b03b89a49b78ba] WARN Notification|SMTP dispatch failed (Reason: Sending the email to the following server failed : email.server.com:25)

2019-10-09 18:53:42,100 [-SMTP-5c45c867e4b03b89a49b78ba] WARN SystemOperation|Failed to forward ResolvedNotification{server=5c45c867e4b03b89a49b78ba, destination=5c45c854e4b03b89a49b78b9, content-length=30681}

java.lang.IllegalArgumentException: org.apache.commons.mail.EmailException: Sending the email to the following server failed : email.server.com:25

Example ESA Correlation Server Warning Message for Missing Meta Keys

If you see a warning message in the ESA Correlation server error logs for missing multi-valued meta keys, there is a difference between the default-multi-valued parameter and multi-valued parameter meta key values, and the new Endpoint, UEBA, and Live content rules will not work. The same is true for missing single-valued meta keys. Completing the "Update the Multi-Valued and Single-Valued Parameter Meta Keys for the latest Endpoint, UEBA, and RSA Live Content Rules" procedure in the ESA Configuration Guide should fix the issue.

Multi-Valued Warning Message Example

2019-08-23 08:55:07,602 [ deployment-0] WARN Stream|[alert, alert_id, browserprint, cert_thumbprint, checksum, checksum_all, checksum_dst, checksum_src, client_all, content, context, context_all, context_dst, context_src, dir_path, dir_path_dst, dir_path_src, directory, directory_all, directory_dst, directory_src, email_dst, email_src, feed_category, feed_desc, feed_name, file_cat, file_cat_dst, file_cat_src, filename_dst, filename_src, filter, function, host_all, host_dst, host_orig, host_src, host_state, ip_orig, ipv6_orig, OS, param, param_dst, param_src, registry_key, registry_value, risk, risk_info, risk_suspicious, risk_warning, threat_category, threat_desc, threat_source, user_agent] are still MISSING from multi-valued

Single Value Warning Message Example

2019-08-23 08:55:07,602 [ deployment-0] WARN Stream|[accesses, context_target, file_attributes, logon_type_desc, packets] are still MISSING from single-valued

Update any ESA Rule that Selects Only Certain Meta Keys from the Session to Include event_source_id

In ESA rules that do not select every piece of meta from the session (that is, using select *), you may see that data privacy (if enabled) and the Pivot to Investigate > Navigate link accessed from a context tooltip in the Respond Incident Details view does not work.

The following steps apply to all released versions of NetWitness 11.3 and later. In 11.4 and later, you do not need to follow these steps for data privacy, instead, see How to Remove Sensitive Meta Keys Globally from All Alerts. However, you need to follow these steps if you want to enable the Pivot to Investigate > Navigate link accessed from a context tooltip in the Respond Incident Details view.

Note: Do not use any Esper keyword as custom meta keys since this causes an error while creating an ESA Rule. For Esper keywords, see Reserved keywords.

  1. Update the index-concentrator-custom.xml file to include the ESA generated event_source_id meta key. If you do not add the meta key, ESA cannot recognize it and the rule will fail to deploy.

    The following figure shows the file configured for the custom meta key "Event Source ID" with index settings of "IndexNone" with a format of "Text”.

    <key description="Event Source ID" name="event_source_id" format="Text" level="IndexNone"/>

    Index-concentrator-custom.xml file updates with event_source_id

    To save and deploy the new setting on the NetWitness host, select the Apply button. To force the change, restart the Concentrator service or you can wait until the next polling interval for the change to be recognized.

    The XML file can also be deployed to other NetWitness hosts by clicking the Push button and selecting the destination NetWitness host. Only deploy the XML file to a NetWitness host that runs that service (that is, other Concentrators).

  2. Update any ESA rule that selects only certain meta from the session to include the ESA generated event_source_id meta key. Add the event_source_id meta key to the SELECT statement. See the highlighted portion in the example rule.

    @RSAAlert

    SELECT user_dst, reference_id, hostname, event_source_id FROM

    Event(

    device_class='Windows Hosts',

    reference_id IN ('4624' , '4625'),

    user_dst IS NOT NULL,

    user_dst NOT LIKE '%$',

    user_dst NOT IN ('ANONYMOUS LOGON','SYSTEM')

    )

    .win:time_batch(10 Minutes)

    GROUP BY user_dst

    HAVING COUNT(distinct hostname) >= 15;

  3. After the Concentrator changes takes effect, redeploy the ESA rule deployment that contains the ESA rule.

For additional information, see How ESA Handles Sensitive Data. For information on the stragegy and benefits of obfuscating data, see the Data Privacy Management Guide.

Steps to Troubleshoot Memory Issues with an ESA Service Offline

Step 1: Verify that your Host Is Running

The first step to troubleshooting is to ensure that your host is running. To do this, go to Admin > Hosts. If the host is down, the system parameters will not display (updating host information can sometimes be delayed), the Services display in red, and you may see an error message. 

Image of Hosts view showing services in red

If your host is down, contact your NetWitness Platform Administrator to restart it. Otherwise, go to Step 2. 

Step 2: View Detailed Statistics in Health & Wellness

If your ESA service is down, you can go to Health & Wellness and view the last known metrics to see where potential issues are occurring. The most common problem is that your ESA service is exceeding memory thresholds, which causes it to stop or fail.

  1. Go to Admin > Health & Wellness > Alarms to see if the ESA triggered any alarms. Look for the following alarms for ESA Correlation:

    • Correlation Server in Critical State
    • Correlation Server in Unhealthy State
    • Correlation Server Stopped

    Health & Wellness Alarm shows Correlation Server stopped

  2. Go to Admin > Health & Wellness > System Stats Browser to see the memory metrics for each rule's performance. To view the metrics, enter the following and click Apply:

                      
    Host Component

    Category

    <your host>Correlation ServerCorrelation Engine Metrics

    ESA Correlation Health & Wellness System Stats Browser metrics for a selected rule

    The name of the rule is in the Statistic column and the memory usage in bytes is in the Value column.

  3. Click Historical graph icon to view a historical view of memory usage for the rule in the Historical Graph column. 

    ESA Correlation Historical Graph showing ESA Rule Memory Usage

  4. In the System Stats Browser, you can also see details of your ESA Correlation service performance.

    Health and Wellness Memory Metrics

    Select your host, and use the following filters to view the following statistics:

                                                                                           
    Host ComponentCategoryStatisticExample
    <your host>HostSystemInfoCPU Utilization1.14%
    <your host>HostSystemInfoMemory Utilization30.64%
    <your host>HostSystemInfoUsed Memory15.05 GB
    <your host>HostSystemInfoTotal Memory49.14 GB
    <your host>HostSystemInfoUptime259493, 3 days 16 minutes 53 seconds
    <your host>Correlation ServerProcess jvmMemory Total Max64.00 GB
    <your host>Correlation Server

    Process jvm

    Memory Total Used

    593.70 MB

    <your host>Correlation ServerProcessInfoCPU Utilization0.4%
    <your host>Correlation ServerProcessInfoMaximum Memory62.92 GB
    <your host>Correlation ServerProcessInfoMemory Utilization1.48 GB

     

    The following figure shows the location of the ESA Correlation service CPU and Memory Utilization statistics.

    H&W System Stats Browser tab showing system info for the ESA host

  5. Click Historical graph icon to view a historical view of CPU and memory utilization.

    The following figure shows the historical graph of CPU utilization.

    Historical Graph of the ESA Correlation service CPU utilization

    The following figure shows the historical graph of Memory Utilization.

    Historical Graph of the ESA Correlation service memory utilization

If you are having a problem with memory or CPU utilization, continue to step 3. 

Step 3: Bring up your ESA Services

  1. Go to Admin > Services, select your ESA service, and then select Actions icon Start.
  2. Return to the ESA Service to troubleshoot which rules have created memory issues. 

If your ESA service is stopping and restarting in a loop, you may need to call Customer Support to get the services to start.

If you are able to start your ESA service without a shutdown, continue to step 4.

Step 4: Check the Alerts and Events Volume

After you are able to restart your ESA service without an immediate shutdown, you can review the stats for your rules to see which rules are consuming too many resources. Sometimes, ESA services fail because a rule is generating too many alerts or a rule is matching too many events. Check for both of these issues if you have determined that memory usage is causing your ESA service to shut down. 

View Alert Summaries

Rules that generate a high volume of alerts can overwhelm the system and cause it to fail or restart. To view the alert summaries, go to Respond > Alerts. In the Filters panel on the left, in the Alert Names section, select the alert name for the rule. The number of alerts with that name appears at the bottom of the Alerts list results. If the number is significantly high for a particular rule, you need to disable the rule and rewrite it to be more efficient.

Respond Alerts View showing the number of alerts for a selected rule

To clear your filter, click Reset Filters.

View Events Matched

Sometimes a rule matches too many events, which can use up excessive memory. This typically occurs if you create a large event window where a great number of events accumulate without triggering an alert. This is a problem because each event is stored in memory while the rule waits for the alert to trigger. To check for this issue, go to Configure > ESA Rules > Services. From there, you can see the number of events that were matched in the Events Matched column for the deployment. If a high number of events were matched for a given rule, you can investigate the rule further to see if you can make it more efficient.

ESA Rules Services Tab

Step 5: Disable and Repair the Rule that Caused Issues

Once you have determined the rules that need to be rewritten, disable them and rewrite rules so that they don't generate such a high volume of alerts or events. For pointers on how to write more efficient rules, see Best Practices.

Disable Rules

  1. To disable rules, go to Configure > ESA Rules > Services, and select the rules you want to disable in the Deployed Rules Stats field.
  2. Select Disable to disable the rules. 

Edit Rules

  1. To repair the rules, go to Configure > ESA Rules > Rules tab > Rule Library.
  2. For each rule that you repair, do the following:
    1. Select the rule to edit and then select Actions icon > Edit.
    2. Edit the rule to be more efficient. For instructions on creating rules, see Add Rules to the Rule Library
    3. When you are satisfied with your rule, you can save the rule as a trial rule to ensure that any memory issues do not affect ESA services performance. To do this, follow the steps listed in Work with Trial Rules.

Deploy Rules

  1. Go to Configure > ESA Rules > Rules tab.
  2. In the options panel on the left, select the deployment that contains the rule.
  3. In the Deployment view, the rule that you changed shows a status of Updated. Click Deploy Now.
    The rule status changes to Deployed.

Verify that the Rules are Enabled

After you deploy the ESA rules, they should automatically show as enabled. If not, you can enable the rules.

  1. Go to Configure > ESA Rules > Services tab, and select the ESA service in the options panel.
  2. On the deployment tab for the deployment that contains the rules, in the Deployed Rule Stats section, look at the status of the rules in the Enable column. Enabled rules show a green circle. If the rules show a white circle, you can enable the rules.
  3. To enable rules, select the rules you want to enable and select Enable above the table.

(Optional) Check the ESA Correlation Log Files for More Information

Once you verify that your services are down and some potential causes for the system going down, check to see if the service is stopping and restarting in a loop. To do this, go to the ESA Correlation logs. You can use SSH to get in the system and go to: /var/log/netwitness/correlation-server/correlation-server.log.

 

ESA Rule Troubleshooting with Nw-Shell

Note: This procedure applies to NetWitness Platform 11.3 and later versions.

The ESA Correlation service replaces the Event Stream Analysis service in RSA NetWitness Platform version 11.3 and later. As a result of this change, some settings are no longer available in the user interface. In addition to the standard troubleshooting methods available, you can use the nw-shell utility to perform advanced troubleshooting of the ESA Correlation service and rules. For detailed information on the nw-shell utility, see the RSA NetWitness Shell User Guide.

Find Your Engine Name for Nw-Shell

Follow these steps to find your engine name using your ESA rule deployment name. Your engine name is required for ESA Nw-Shell troubleshooting. Locate the names of each deployment that you plan to troubleshoot.

  1. In the NetWitness Platform UI, go to Admin > Health & Wellness > System Stats Browser.
  2. In the System Stats Browser, use the following filters and then click Apply.
    1. Host: Select your ESA host.
    2. Component: Select Correlation Server.
    3. Statistic: Type - Name (put a space between the dash and name).
  3. In the Statistic column, locate your deployment followed by - Name. The name in the Value field is YOUR ENGINE NAME.
    System Stats Browser showing the ESA deployment name value
    In the above example, the deployment name is DeploymentA and the engine name is deployment-a-sa-managed.

Connect to an ESA Correlation Server

  1. Log in to nw-shell:
    1. Connect via SSH to the NW server (head unit).
    2. After logging in and getting the command prompt, type nw-shell.
  2. Connect to ESA:
    1. Go to your ESA physical host and type the command:
      cat /etc/netwitness/correlation-server/service-id
    2. Go back to the NW server and nw-shell and connect to the correlation server:
      connect --service correlation-server.ID
  3. Log in to ESA with the admin user credentials.
    1. Type login.
    2. Enter the username and password of the admin user.

RSA NetWitness Shell - Connect to an ESA Correlation Server

View the Contents of a Named Window

Use the execute-query method to view the contents of a named window.

  1. After you are connected to the ESA correlation service and authenticated, type:
    cd /rsa/correlation/engine/execute-query
  2. Type invoke '{"engineName":"<YOUR ENGINE NAME>", "query":"<YOUR QUERY>"}

Example: invoke '{"engineName":"esa-sa-managed", "query":"select * from UserLoginProfile"}'

RSA NetWitness Shell - View Contents of a Named Window

See the Method Input and Output

Type show at the command line to see the input and output expected. All method invocation must be prefaced by invoke.

RSA NetWitness Shell - See the method input and output

Obtain Correlation Server Metrics for ESA Rule Deployment Troubleshooting Using Nw-Shell

Note: This procedure is available in NetWitness Platform version 11.4.1 and later.

You can use Nw-Shell to view ESA Correlation Server metrics for each of your ESA rule deployments. These metrics show the number of sessions behind for the deployment data sources as well as the memory usage for the rules in the deployment.

  1. Find the engine name to use for Nw-Shell. See Find Your Engine Name for Nw-Shell.
  2. Connect to an ESA Correlation Server. See Connect to an ESA Correlation Server.
  3. After you are connected to the ESA correlation service and authenticated, type:
    cd /rsa/correlation/service/stats/get-condensed-metrics
  4. Type invoke '<YOUR ENGINE NAME>'
    Where <YOUR ENGINE NAME> is the engine name that you located in Find Your Engine Name for Nw-Shell.

Here is an example of the metrics output that you can obtain for your ESA rule deployment:

Example ESA Metrics output using NwShell - top

 

Example ESA Metrics output using NwShell - bottom

Previous Topic:Best Practices
You are here
Table of Contents > Getting Started with ESA > Troubleshoot ESA

Attachments

    Outcomes