000033044 - Aggregation does not start if Correlation Rules are written in deprecated syntax after upgrading to RSA Security Analytics 10.6

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000033044
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Decoder, Log Decoder, Concentrator, Security Analytics UI
RSA Version/Condition: 10.6.x
Platform: CentOS
O/S Version: EL6
Issue After updating to Security Analytics, correlation rules written in deprecated syntax can cause Decoders or Concentrators to start in a failed state. Rules that match the strict formatting do not cause this issue.
User-added image
WorkaroundTo allow the aggregation on the Concentrator to start, change the correlation rules with deprecated syntax to use strict format syntax.
You can check your correlation rules with the steps below.
  1. In the Security Analytics UI, navigate to the Administration > Services page.
  2. Click on the Actions button for your Decoder, Log Decoder, or Concentrator and select View > Config.
  3. Click on the Correlation Rules tab.
Any rules using deprecated syntax will be highlighted.  For each deprecated rule, edit the rule, correct the syntax in the Condition field, and then click Save.  
After you fix all of the correlation rules for the appliance, restart the service.