ESA Config: Verify ESA Component Versions and Status

Document created by RSA Information Design and Development on Jun 25, 2017
Version 1Show Document
  • View in full screen mode
  

This topic provides details about audit logging and instructions to verify the versions of the Event Stream Analysis components installed.

Audit Log Rules

Audit logging allows you to view details about rules that are created and edited in Security Analytics.

For details on how to access your audit logs, see Local Audit Log Locations in the System Configuration Guide.

The following sample shows a create, update, and delete log for a given rule.

  • Create log example: 2016-03-10 14:19:37,951 deviceVersion: "10.6.1.0-SNAPSHOT" deviceService: "EVENT_STREAM_ANALYSIS" category: SYSTEM operation: "CREATE RULE" parameters: "Epl Module Identifier: 56e1f2adbee8290008241296, Esper Instance: default, Rule Enabled: true, Trial Rule: false " key: "Epl Rule: @RSAAlert select * from Event;" identity: "admin" userRole: "ROLE_ESA_ADMINISTRATOR"
  • Update log example:  2016-03-10 14:19:37,951 deviceVersion: "10.6.1.0-SNAPSHOT" deviceService: "EVENT_STREAM_ANALYSIS" category: SYSTEM operation: "UPDATE RULE" parameters: "Epl Module Identifier: 56e1f2adbee8290008241296, Esper Instance: default, Rule Enabled: true , Trial Rule: false " key: "Epl Rule: @RSAAlert select * from Event;" identity: "admin" userRole: "ROLE_ESA_ADMINISTRATOR
  • Delete log example: 2016-03-10 14:19:37,951 deviceVersion: "10.6.1.0-SNAPSHOT" deviceService: "EVENT_STREAM_ANALYSIS"category: SYSTEM operation: "DELETE RULE" parameters: "Epl Module Identifier: 56e1f2adbee8290008241296, Esper Instance: default, Rule Enabled: true , Trial Rule: false " key: "Epl Rule: @RSAAlert select * from Event;" identity: "admin" userRole: "ROLE_ESA_ADMINISTRATOR "

Each log contains the following parameters:

  • Time stamp: Time the rule was modified. Example: 2016-03-10 14:19:37,951

  • DeviceVersion: Version of your ESA device. Example: "10.6.1.0-SNAPSHOT"

  • DeviceService: Example: EVENT_STREAM_ANALYSIS

  • Category: Example: SYSTEM

  • Operation:Example:DELETE/CREATE/UPDATE RULE

  • Parameters:Placeholder for the following keys:

  • Epl Module Identifier: unique identifier for the rule. Example: 56e1f2adbee8290008241296

  • Esper Instance: Esper instance on which rule is deployed. Example: default

  • Rule Enabled: Displays if the rule is enabled or not. Example: Rule Enabled: true

  • Trial Rule: Displays if the rule is configured as a trial rule or not. Example: Trial Rule: false

  • Epl Rule: Displays the rule syntax. Example:

    @RSAAlert select * from Event;" identity: "admin" userRole: "ROLE_ESA_ADMINISTRATOR+ROLE_ESA_ADMINISTRATOR+ROLE_ESA_ADMIN"

  • Identity: Example: “admin"

  • userRole: Example: "ROLE_ESA_ADMINISTRATOR"

    Note: When a rule is disabled, two logs are generated for the same rule. First a ‘Delete Rule’ [Rule enabled attribute = true] audit log is created, followed by a ‘Create Rule’ [Rule enabled attribute =false] audit log.

 

Verify ESA Server Version

To verify the ESA Server version:

  1. Use ssh to connect to the ESA service and log in as the root user.
  2. Type the following command and press ENTER:
    rpm -qa | grep rsa-esa-server
    The ESA server version is displayed.

Verify MongoDB Version

To verify the MongoDB version:

  1. Use ssh to connect to the ESA service and log in as the root user.
  2. Type the following command and press ENTER:
    mongo --version
    The MongoDB version is displayed.

Verify MongoDB Status

To verify the MongoDB status:

  1. Use ssh to connect to the ESA service and log in as the root user.
  2. Type the following command and press ENTER:
    service tokumx status
  3. Run the following command if MongoDB is not running.
    service tokumx start
You are here
Table of Contents > Additional ESA Procedures > Verify ESA Component Versions and Status

Attachments

    Outcomes