000032867 - The UsingEventTime property is set incorrectly on ESA appliances running RSA Security Analytics 10.5 and above

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 11Show Document
  • View in full screen mode

Article Content

Article Number000032867
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Event Stream Analysis (ESA)
RSA Version/Condition: 10.5.x, 10.6.x
Platform: CentOS
Platform (Other): Esper
O/S Version: EL6
IssueThe default setting for the UsingEventTime property shipped with the ESA on version 10.5.x and above is incorrectly set to false by default.
CauseThe ESA appliance is powered by Esper and is designed to live in the state of 'NOW' and does not read the system clock.
Security Analytics can pass the event time to the ESA and normally does so by default. In 10.5.x versions the default setting to do this was inadvertently disabled.
ResolutionTo resolve this issue you will need to go to the explore view of the ESA and change the setting by following the steps below.
  1. In the Security Analytics UI, navigate to Administration -> Services.
  2. Find the ESA service, click on the gear icon to its right, and select View -> Explore.
  3. In the directory structure that presents itself on the left, click the + next to CEP and then click the + next to Engine.
  4. Click on the cepEngine listing and the window on the right of the screen will populate with information.
  5. Search for the string UsingEventTime, which will be set to false, and change the setting to true.
    ESA Image of Explorer View
Once this setting is changed you will need to restart the ESA service with the steps below.
  1. In the Security Analytics UI, navigate to Administration -> Services.
  2. Find the ESA service, click on the gear icon to its right, and select Restart.
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.