000032358 - Event Stream Analysis troubleshooting script (ESATool) for the RSA NetWitness Platform

Document created by RSA Customer Support Employee on Jun 30, 2016Last modified by RSA Customer Support on Jul 12, 2018
Version 7Show Document
  • View in full screen mode

Article Content

Article Number000032358
Applies ToRSA Product Set: Security Analytics, NetWitness Logs & Network
RSA Product/Service Type: Event Stream Analysis (ESA), Respond Server
RSA Version/Condition: 10.3 , 10.4 , 10.5, 10.6, 11.0, 11.1
Platform: CentOS
O/S Version: EL6, EL7
TasksThe ESATool is a tool designed to ease troubleshooting issues on an ESA appliance. 
ResolutionFOR VERSIONS 10.6 AND NEWER
If you had previously installed the rpm attached to this article, please remove it if you want to use this script. The following command will do that:

rpm -e esatool-v.2.1-2.noarch

Next, you can SCP the attached script (the file titled esatool) to your ESA device. Once this is complete, you can set the permissions on it to be executable and copy it to the /usr/sbin directory. Assuming that the location of the esatool after copying is located in /root/, this is how you would do it.


[root@esa ~]# chmod +x /root/esatool
[root@esa ~]# cp /root/esatool /usr/sbin/esatool

Once this is complete, you can simply type in "esatool" to use the tool from this point on.


[root@esa~]# esatool

It is important to note that if you want to use this tool, you MUST know the password to your Mongo Database. For Netwitness 11.X, this is the deployment password you used during installation. Otherwise, a default password of "netwitness" is used by this script.
For 10.6, the password "esa" will be used.
You can run esatool with a -p option to allow for you to be prompted for all required fields:

[root@esa~]# esatool -p


FOR VERSIONS 10.5 AND OLDER
The tool and a guide on how to use it can be downloaded from the attachments in this article.

To install the tool, download the attached RPM file, copy it to the ESA appliance, and issue the command below.

rpm -i esatool-v.2.1-2.noarch.rpm

For full instructions on using the tool, refer to the ESATool User Guide attached to this article.

Example (This is for upgrading or installing esatool):

[root@rsaesa-001--0 rpms]# rpm -Uvh esatool-v.2.1-2.noarch.rpm
Preparing...                ########################################### [100%]
   1:esatool                ########################################### [100%]
esatool installed, please check: man esatool

Usage:


[root@rsaesa-001--0 ~]# esatool

For full instructions on using the tool, refer to the ESATool User Guide attached to this article. 
NotesChangelog 2.1
  • 10.6.x supported
  • Fixed some code issues
  • You can skip count deleting alerts between dates(useful is tokumx is huge)

Changelog 2.1.1



  • Added enforcement of UsingEventTime (ESA > Explore > CEP > Engine > cepEngine  ) to true in precheck section
Changelog 2.1.2

  • Fixed code issue in esaclient
  • Added option to skip the precheck
  • Displayed the current version of ESA in the menu
  • Added nextgen section in precheck section
Changelog 3.0.0

  • Updated for use in 10.6, 11.0, 11.1
  • Many features removed due to changes in platform that prevent them from working
  • Lots of edits to instructions in the print statements that give a clearer idea of what you need to do.

Attachments

Outcomes