000031473 - ESA alerts are not making it into the SA IM middleware for RSA SecOps

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000031473
Applies ToRSA Product Set: Security Management, Security Analytics
RSA Product/Service Type: SecOps, Event Stream Analysis (ESA), Incident Management (SA IM)
RSA Version/Condition: SecOps 1.2; Security Analytics 10.4.x, 10.5.x
IssueAlerts in ESA are firing but nothing is making it to the Incident Management component and nothing is being output to SecOps.
CauseThis issue occurs because the "Forward Alerts on Message Bus" option is not selected on the ESA appliance.
ResolutionTo resolve the issue, perform the steps below.
  1. Log into the Security Analytics UI as an administrative user.
  2. Navigate to Administration -> Services.
  3. Click on the red Actions button for the ESA service and select View -> Config.
  4. Click on the Advanced tab.
  5. Check the box for the Forward Alerts On Message Bus option and then click the Apply button.
    User-added image
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.