This topic describes how to add a new or existing data source to the Event Stream Analysis service.
An ESA service ingests data from a Concentrator to detect incidents and alert the user. For ESA to analyze data, you need to configure the sources from which the ESA will read data. Use the procedures in this topic to add data sources for your ESA.
You must have one or more Concentrators configured in Security Analytics.
You must perform the following steps to add a data source:
- Add an Available Data Source
- Specify username and password for the Data Source
Add Existing Services as Data Source
- In the Security Analytics menu, select Administration > Services.
The Services view is displayed.
- In Services view, select an ESA service.
- In the Actions column, select View > Config.
- In the Data Sources tab, click .
The available services are displayed as shown in the following figure.
- Select one or more services and click OK.
The service is added to the list of services in the DataSources tab.
- (Optional) Click Enable to enable the data source.
- Click Apply to save the configuration.
Specify Username and Password for the Data Source
Note: You can add a Log Decoder as a data source for ESA but RSA recommends you add a Concentrator to take advantage of undivided aggregation as the Decoder may have other processes aggregating from it.
To specify the username and password for the data source: