ESA Config: Step 1. Add a Data Source to an ESA Service

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Sep 11, 2018
Version 8Show Document
  • View in full screen mode
 

This topic describes how to add a new or existing data source to the Event Stream Analysis service.

An ESA service ingests data from a Concentrator to detect incidents and alert the user. For ESA to analyze data, you need to configure the sources from which the ESA will read data. Use the procedures in this topic to add data sources for your ESA.

Prerequisites

You must have one or more Concentrators configured in NetWitness Platform.

The Event Steam Anaysis service must be installed and running on NetWitness Platform.

Procedures

Add an Existing Service as Data Source

  1. Go to ADMIN > Services.
    The Services view is displayed.
  2. In Services view, select an ESA service and select Actions icon > View > Config.
  3. On the Data Sources tab, click Add icon .
    The available services are displayed as shown in the following figure.
    Available Services dialog
  4. Select a Concentrator service and click OK.
    The Edit Service dialog is displayed.
    Edit Service dialog image
  5. Click Enable to enable (or disable) the data source (it is enabled by default when adding a new service).
  6. Enter a valid Username and Password for the service.
  7. Click to enable or disable the SSL or Compression options.
  8. Click Save to save the configuration and close the Edit Service dialog.
  9. Click Apply to complete the change on the Data Sources tab.
    The service is added to the list of services in the Data Sources tab.

Note: You can add a Log Decoder as a data source for ESA but RSA recommends you add a Concentrator to take advantage of undivided aggregation as the Decoder may have other processes aggregating from it. 

Edit Settings for a Data Source

To edit settings, including the username and password, for a configured data source:

  1. Go to ADMIN > Services.
    The Services view is displayed.
  2. In the Services view, select a Concentrator service. 
  3. Click Edit icon.
    The Edit Service dialog is displayed (see previous figure).
  4. Modify the settings as desired, including entering a new username and password. The username field will be prepopulated with the currently configured username. To change the password, enter a new password in the password field. If you leave the password field blank, the previously configured password will continue to be used.
  5. Click Save to save the changes and close the Edit Service dialog.
  6. Click Apply to complete the change on the Data Sources tab.
You are here
Table of Contents > Configure ESA Correlation Rules > Step 1. Add a Data Source to an ESA Service

Attachments

    Outcomes