Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000032867 - The UsingEventTime property is set incorrectly on ESA appliances running RSA Security Analytics 10.5 and above

Document created by RSA Customer Support

on Jun 14, 2016•Last modified by RSA Customer Support

on Apr 22, 2017

Version 11Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000032867
Applies To	RSA Product Set: Security Analytics RSA Product/Service Type: Event Stream Analysis (ESA) RSA Version/Condition: 10.5.x, 10.6.x Platform: CentOS Platform (Other): Esper O/S Version: EL6
Issue	The default setting for the UsingEventTime property shipped with the ESA on version 10.5.x and above is incorrectly set to false by default.
Cause	The ESA appliance is powered by Esper and is designed to live in the state of 'NOW' and does not read the system clock. Security Analytics can pass the event time to the ESA and normally does so by default. In 10.5.x versions the default setting to do this was inadvertently disabled.
Resolution	To resolve this issue you will need to go to the explore view of the ESA and change the setting by following the steps below. In the Security Analytics UI, navigate to Administration -> Services. Find the ESA service, click on the gear icon to its right, and select View -> Explore. In the directory structure that presents itself on the left, click the + next to CEP and then click the + next to Engine. Click on the cepEngine listing and the window on the right of the screen will populate with information. Search for the string UsingEventTime, which will be set to false, and change the setting to true. Once this setting is changed you will need to restart the ESA service with the steps below. In the Security Analytics UI, navigate to Administration -> Services. Find the ESA service, click on the gear icon to its right, and select Restart. If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.

Attachments

Outcomes

0 Comments

Recommended Content