000032966 - ESA deployment shows "unknown error" and deleted rule still triggers alerts in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on May 3, 2019
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000032966
Applies ToRSA Product Set: NetWitness Logs & Packets
RSA Product/Service Type: SA Security Analytics Server, Event Stream Analysis.
RSA Version/Condition: 10.5.1, 10.5.2, 10.5.3, 10.6.x
Platform: CentOS
O/S Version: EL6
IssueIf an ESA rule is deleted, that rule still stays in the Alerts->Configure->Services page as enabled which leads to the below 'Unknown error' while deploying changes to ESA service.

User-added image
CauseThis is due to additional unused ESA deployment services under ESA Deployments tab.
ResolutionPlease follow the below steps to resolve this issue.
  1. Login to SA GUI as admin.
  2. Navigate to Alerts->Configure->Deployments.
  3. Delete additional ESA Deployments which are unused.
  4. Verify "Deploy Now" will not show any error when changes deployed.