000029298 - ESA email notifications are not being sent for alerts from RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000029298
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Event Stream Analysis (ESA), Security Analytics UI
Platform: CentOS
IssueWhen ESA alerts are triggered in Security Analytics, email notifications are not being sent.
The /opt/rsa/esa/logs/esa.log file reports errors similar to the example below when alerts are triggered.
2014-12-22 16:59:27,085 [alert-SMTP-dispatch] WARN  com.rsa.netwitness.core.alert.dispatch.AbstractDispatcher - An alert of type SMTP could not be sent. java.lang.RuntimeException: javax.mail.MessagingException: Could not connect to SMTP host: mail.example.com, port: 25;;  nested exception is:;    java.net.ConnectException: Connection timed out;    at com.rsa.netwitness.core.alert.dispatch.SmtpDispatcher.dispatch(SmtpDispatcher.java:50);

Issuing the command tcpdump -vv -nn host mail.example.com and port 25 -w esatraffic.pcap (where mail.example.com is the FQDN of the mail server) and examining the file in Wireshark, traffic similar to the following is observed:
Traffic capture from ESA appliance
CauseThe issue occurs because the traffic from the ESA appliance is unable to reach the mail server.  As demonstrated in the network trace, the connection results in a tcp timeout. This can occur when the ESA appliance and mail server reside on separate subnets and the traffic is not routed correctly or blocked by a firewall or proxy, etc.
ResolutionIn order to resolve the issue, ensure that the traffic is being routed correctly on the subnet on which the ESA appliance resides.