ESA Config: Verify ESA Component Versions and Status

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Oct 4, 2017
Version 5Show Document
  • View in full screen mode
 

This topic provides details about audit logging and instructions to verify the versions of the Event Stream Analysis components installed. These procedures apply to ESA Correlation Rules.

Audit Log Rules

Audit logging allows you to view details about rules that are created and edited in NetWitness Suite.

For details on how to access your audit logs, see "Local Audit Log Locations" in the System Configuration Guide.

The following sample shows a create, update, and delete log for a given rule.

  • Create log example: 2016-03-10 14:19:37,951 deviceVersion: "10.6.1.0-SNAPSHOT" deviceService: "EVENT_STREAM_ANALYSIS" category: SYSTEM operation: "CREATE RULE" parameters: "Epl Module Identifier: 56e1f2adbee8290008241296, Esper Instance: default, Rule Enabled: true, Trial Rule: false " key: "Epl Rule: @RSAAlert select * from Event;" identity: "admin" userRole: "ROLE_ESA_ADMINISTRATOR"
  • Update log example: 2016-03-10 14:19:37,951 deviceVersion: "10.6.1.0-SNAPSHOT" deviceService: "EVENT_STREAM_ANALYSIS" category: SYSTEM operation: "UPDATE RULE" parameters: "Epl Module Identifier: 56e1f2adbee8290008241296, Esper Instance: default, Rule Enabled: true , Trial Rule: false " key: "Epl Rule: @RSAAlert select * from Event;" identity: "admin" userRole: "ROLE_ESA_ADMINISTRATOR
  • Delete log example: 2016-03-10 14:19:37,951 deviceVersion: "10.6.1.0-SNAPSHOT" deviceService: "EVENT_STREAM_ANALYSIS"category: SYSTEM operation: "DELETE RULE" parameters: "Epl Module Identifier: 56e1f2adbee8290008241296, Esper Instance: default, Rule Enabled: true , Trial Rule: false " key: "Epl Rule: @RSAAlert select * from Event;" identity: "admin" userRole: "ROLE_ESA_ADMINISTRATOR "

Each log contains the following parameters:

  • Time stamp: Time the rule was modified. Example: 2016-03-10 14:19:37,951

  • DeviceVersion: Version of your ESA device. Example: "10.6.1.0-SNAPSHOT"

  • DeviceService: Example: EVENT_STREAM_ANALYSIS

  • Category: Example: SYSTEM

  • Operation:Example: DELETE/CREATE/UPDATE RULE

  • Parameters: Placeholder for the following keys:

  • Epl Module Identifier: unique identifier for the rule. Example: 56e1f2adbee8290008241296

  • Esper Instance: Esper instance on which rule is deployed. Example: default

  • Rule Enabled: Displays if the rule is enabled or not. Example: Rule Enabled: true

  • Trial Rule: Displays if the rule is configured as a trial rule or not. Example: Trial Rule: false

  • Epl Rule: Displays the rule syntax. Example:

    @RSAAlert select * from Event;" identity: "admin" userRole: "ROLE_ESA_ADMINISTRATOR+ROLE_ESA_ADMINISTRATOR+ROLE_ESA_ADMIN"

  • Identity: Example: “admin"

  • userRole: Example: "ROLE_ESA_ADMINISTRATOR"

    Note: When a rule is disabled, two logs are generated for the same rule. First a ‘Delete Rule’ [Rule enabled attribute = true] audit log is created, followed by a ‘Create Rule’ [Rule enabled attribute =false] audit log.

Verify ESA Server Version

To verify the ESA Server version:

  1. Use ssh to connect to the ESA service and log in as the root user.
  2. Type the following command and press ENTER:
    rpm -qa | grep rsa-nw-esa-server
    The ESA server version is displayed.

Verify MongoDB Version

To verify the MongoDB version:

  1. Use ssh to connect to the ESA service and log in as the root user.
  2. Type the following command and press ENTER:
    mongo --version
    The MongoDB version is displayed.

Verify MongoDB Status

To verify the MongoDB status:

  1. Use ssh to connect to the ESA service and log in as the root user.
  2. Type the following command and press ENTER:
    systemctl status mongod
  3. Run the following command if MongoDB is not running.
    systemctl start mongod
Next Topic:References
You are here
Table of Contents > Additional ESA Correlation Rules Procedures > Audit Logs and Verify ESA Component Versions and Status

Attachments

    Outcomes