000029906 - Event Stream Analysis (ESA Rules) disappear from the SA GUI after upgrading from 10.4.0.2 to 10.4.1

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029906
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Event Stream Analysis
RSA Version/Condition: 10.4.0.2, 10.4.1
Platform: CentOS
O/S Version: 6
 
IssueESA Rules disappear from the SA "all rules" and the "synchronizations" after upgrading to 10.4.1 from 10.4.0.2.
 
Cause

The root cause of the issue is that the SA 10.4.1 upgrade process changes the tokumx configuration file to reference a new, empty database rather than the previous database which contains existing rules. 

ResolutionDiagnose the Problem
Edit the 
tokumx.conf file to point to the previous SA 10.4.0.2 database to display rules/synchronizations in the SA WebUI.  
  1. Log on to the SA Server as root.
  2. Change to the /etc folder:  cd /etc
  3. List the tokumx files in the /etc folder:  ll toku* 
-rw-r--r--. 1 root root 5746 Mar 26 12:51 tokumx.conf
-rw-r--r--. 1 root root 5710 Sep 24  2014 tokumx.conf.orig
-rw-r--r--. 1 root root 5743 Mar 23 14:01 tokumx.old
[root@SA-Server-01 etc]#

  1. Note the date stamp on the tokumx.old configuration file. This indicates the file was upgraded on March 23.  
  2. Review the tokumx.old file to note the dbpath:   less tokumx.old | grep 'dbpath ='
dbpath = /opt/rsa/database/tokumx  

  1. Review the tokumx.conf file to note the new dbpath:  less tokumx.conf | grep 'dbpath ='
dbpath = /var/netwitness/database/tokumx  

  1. Note the two database paths are different, thus pointing to different database files.  This is the root cause of the problem. 
Note: The database paths in some environments might have different names than this example.  


Confirm which database contains the desired database by looking at the objects in each folder.
  1. List the contents of the first directory to check for files:  ll /opt/rsa/database/tokumx 

  1. List the contents of the second directory to check for files:  ll /var/netwitness/database/tokumx
The directory with the original, pre-upgrade rules, should include file names such as:
sa_rule_id, sa_ruleTemplate_id,  sa_synchronization_id, etc.
The other directory should be largely empty and will not contain these files. 

 

Correct the Problem and Restore the Original Rules 

  1. Logon to the A Server as root.
  2. Run the following commands:
stop jettysrv

service tokumx stop

cp /etc/tokumx.conf /etc/tokumx.conf.<todays_date>

vi /etc/tokumx.conf

  1. Find the dbpath entry normally near the top of the file.
  2. Comment out the existing database and enter in desired database.
#dbpath = /var/netwitness/database/tokumx

dbpath = /opt/rsa/database/tokumx

  1. Save the file and exit the text editor.
  2. Run the following commands:
start jettysrv

service tokumx start

  1. Return to the SA WebUI and confirm the ESA rules are now visible. 

Attachments

    Outcomes