000017528 - The RSA Security Analytics ESA service is immediately stopping after being started

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017528
Applies ToRSA Security Analytics
RSA Security Analytics Event Stream Analysis
IssueThe RSA Security Analytics ESA service is immediately stopping after being started.
When using the 'Test Connection' button in the 'Add Device' or 'Edit Device' dialog box, the following error is shown:  Test Connection Failed

The ESA service is found not to be running using the following command:



[root@sa-esa ~]# service rsa-esa status
RSA NetWitness ESA :: Server is not running.



 


Attempting to start the service is successful:



[root@sa-esa ~]# service rsa-esa start
Starting RSA NetWitness ESA :: Server...
[root@sa-esa ~]# service rsa-esa status
RSA NetWitness ESA :: Server is running (3718).



 


However after 1-2 mins, the following 2 commands indicate that the service is no longer listening on port 50030/TCP as the service has stopped again.



[root@sa-esa ~]# netstat -anp | grep :50030
[root@sa-esa ~]# service rsa-esa status
RSA NetWitness ESA :: Server is not running.



 

The following message appears in the /opt/rsa/esa/logs/esa.log file:



2014-06-17 00:04:42,957 [WrapperSimpleAppMain] FATAL com.rsa.netwitness.esa.server.EsaCommandLine - Fatal throwable
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'connections' defined in class path resource [META-INF/esa-handlers.xml]: Invocation of init method failed; nested exception is com.rsa.netwitness.carlos.transport.TransportException: com.rsa.netwitness.carlos.transport.TransportException: java.io.IOException: Failed to bind to server socket: socks://0.0.0.0:50030?transport.connectionTimeout=10000&transport.soTimeout=10000&transport.daemon=true&transport.keepAlive=true&transport.closeAsync=false&transport.soWriteTimeout=10000 due to:
java.net.BindException: Address already in use


Cause

The issue is due to the fact that the service cannot bind to port 50030 because it believes the address is already in use.


 


The hostname specified in the loopback address specified in the /etc/hosts file must match the HOSTNAME specified in the /etc/sysconfig/network file, as shown below.



[root@sa-esa ~]# cat /etc/hosts
# Created by NetWitness Installer on Fri May 30 16:37:22 UTC 2014
127.0.0.1 sa-esa localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 sa-esa localhost localhost.localdomain localhost6 localhost6.localdomain6


[root@sa-esa ~]# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=sa-esa.igloo.northpole.org
IPV6_DEFAULTGW=
NETWORKING=yes


Resolution

1. Make the hostnames in the /etc/hosts and /etc/sysconfig/network files consistent.



Example 1:
In this case we can edit /etc/sysconfig/network to remove the domain suffix of igloo.northpole.org
Edit /etc/sysconfig/network so contents appear as:




NETWORKING=yes
HOSTNAME=sa-esa
IPV6_DEFAULTGW=
NETWORKING=yes



Example 2:
Alternatively we can include the FDQN in loopback specification in /etc/hosts
So /etc/hosts becomes:



# Created by NetWitness Installer on Fri May 30 16:37:22 UTC 2014
127.0.0.1 sa-esa sa-esa.igloo.northpole.org localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 sa-esa sa-esa.igloo.northpole.org localhost localhost.localdomain localhost6 localhost6.localdomain6



It would probably be a good idea to specify domain in /etc/sysconfig/network as well.
So /etc/sysconfig/network becomes:



NETWORKING=yes
HOSTNAME=sa-esa.igloo.northpole.org
IPV6_DEFAULTGW=
NETWORKING=yes
DOMAINNAME=igloo.northpole.org




2. Restart the ESA Service.



[root@sa-esa ~]# service rsa-esa start
Starting RSA NetWitness ESA :: Server...



3. Check ESA service log for the successful bind message:



[root@sa-esa ~]# tail -n 100 /opt/rsa/esa/logs/esa.log | grep :50030
2014-06-20 04:14:12,814 [WrapperSimpleAppMain] INFO  com.rsa.netwitness.carlos.transport.spring.MessageEndpointServiceExporter - Service on channel com.rsa.netwitness.esa.ESAProtocol$ServiceMessage bound to local endpoint jms://0.0.0.0:50030?carlos.dispatch.queue=256&carlos.dispatch.pool=32


NotesThe Event Stream Analysis (ESA) service log is found in the following location:  /opt/rsa/esa/logs/esa.log
Legacy Article IDa64779

Attachments

    Outcomes