ESA Config: Verify ESA Component Versions and Status

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Sep 11, 2018
Version 8Show Document
  • View in full screen mode
 

This topic provides details about audit logging and instructions to verify the versions of the ESA components installed. These procedures apply to ESA Correlation Rules.

Audit Log Rules

Audit logging allows you to view details about rules that are created and edited in NetWitness Platform.

For details on how to access your audit logs, see "Local Audit Log Locations" in the System Configuration Guide.

The following sample shows a create, update, and delete log for a given rule.

  • Create log example: 2018-08-15 19:48:47,972 deviceVersion: "11.2.0.0-SNAPSHOT" deviceService: "EVENT_STREAM_ANALYSIS" category: SYSTEM operation: "CREATE RULE" parameters: "Epl Module Identifier: esa000155, Esper Instance: default, Epl Rule Enabled: false, Trial Rule: true" key: "Epl Rule: /*\nVersion: 2\n*/\n\nmodule Module_esa000155;\n\n\n@Name(\'Module_esa000155_Alert\')\n@RSAAlert(oneInSeconds=0, identifiers={\"alias_host\"})\n\nSELECT * FROM Event(\n\t/* Statement: User permission change */\n\t(medium = 32 AND device_type = \'awscloudtrail\' AND event_desc IN (\'CreateUser\'))\n\tOR\n\t/* Statement: Instance state change */\n\t(medium = 32 AND device_type = \'awscloudtrail\' AND event_desc IN (\'TerminateInstances\' , \'RunInstances\'))\n\t).win:time(310 seconds)\n\tMATCH_RECOGNIZE (\n\tPARTITION BY alias_host\n\tMEASURES E1 as e1_data , E2 as e2_data\n\tPATTERN (E1+ E2)\n\tDEFINE\n\tE1 as E1.medium = 32 AND E1.device_type = \'awscloudtrail\' AND E1.event_desc IN (\'CreateUser\'),\n\tE2 as E2.medium = 32 AND E2.device_type = \'awscloudtrail\' AND E2.event_desc IN (\'TerminateInstances\' , \'RunInstances\')\n);\n\n" identity: "admin" userRole: "ROLE_ESA_ADMINISTRATOR"
  • Update log example: 2018-08-15 19:48:47,941 deviceVersion: "11.2.0.0-SNAPSHOT" deviceService: "EVENT_STREAM_ANALYSIS" category: SYSTEM operation: "UPDATE RULE" parameters: "Epl Module Identifier: esa000155, Esper Instance: default, Epl Rule Enabled: true, Trial Rule: true" key: "Epl Rule: /*\nVersion: 2\n*/\n\nmodule Module_esa000155;\n\n\n@Name(\'Module_esa000155_Alert\')\n@RSAAlert(oneInSeconds=0, identifiers={\"alias_host\"})\n\nSELECT * FROM Event(\n\t/* Statement: User permission change */\n\t(medium = 32 AND device_type = \'awscloudtrail\' AND event_desc IN (\'CreateUser\'))\n\tOR\n\t/* Statement: Instance state change */\n\t(medium = 32 AND device_type = \'awscloudtrail\' AND event_desc IN (\'TerminateInstances\' , \'RunInstances\'))\n\t).win:time(310 seconds)\n\tMATCH_RECOGNIZE (\n\tPARTITION BY alias_host\n\tMEASURES E1 as e1_data , E2 as e2_data\n\tPATTERN (E1+ E2)\n\tDEFINE\n\tE1 as E1.medium = 32 AND E1.device_type = \'awscloudtrail\' AND E1.event_desc IN (\'CreateUser\'),\n\tE2 as E2.medium = 32 AND E2.device_type = \'awscloudtrail\' AND E2.event_desc IN (\'TerminateInstances\' , \'RunInstances\')\n);\n\n" identity: "admin" userRole: "ROLE_ESA_ADMINISTRATOR"
  • Delete log example: 2018-08-15 19:48:47,972 deviceVersion: "11.2.0.0-SNAPSHOT" deviceService: "EVENT_STREAM_ANALYSIS" category: SYSTEM operation: "DELETE RULE" parameters: "Epl Module Identifier: esa000155, Esper Instance: default, Epl Rule Enabled: true, Trial Rule: true" key: "Epl Rule: /*\nVersion: 2\n*/\n\nmodule Module_esa000155;\n\n\n@Name(\'Module_esa000155_Alert\')\n@RSAAlert(oneInSeconds=0, identifiers={\"alias_host\"})\n\nSELECT * FROM Event(\n\t/* Statement: User permission change */\n\t(medium = 32 AND device_type = \'awscloudtrail\' AND event_desc IN (\'CreateUser\'))\n\tOR\n\t/* Statement: Instance state change */\n\t(medium = 32 AND device_type = \'awscloudtrail\' AND event_desc IN (\'TerminateInstances\' , \'RunInstances\'))\n\t).win:time(310 seconds)\n\tMATCH_RECOGNIZE (\n\tPARTITION BY alias_host\n\tMEASURES E1 as e1_data , E2 as e2_data\n\tPATTERN (E1+ E2)\n\tDEFINE\n\tE1 as E1.medium = 32 AND E1.device_type = \'awscloudtrail\' AND E1.event_desc IN (\'CreateUser\'),\n\tE2 as E2.medium = 32 AND E2.device_type = \'awscloudtrail\' AND E2.event_desc IN (\'TerminateInstances\' , \'RunInstances\')\n);\n\n" identity: "admin" userRole: "ROLE_ESA_ADMINISTRATOR"

Each log contains the following parameters:

  • Time stamp: Time the rule was modified. Example: 2018-08-15 19:48:47,972

  • DeviceVersion: Version of your ESA service. Example: "11.2.0.0-SNAPSHOT"

  • DeviceService: Example: EVENT_STREAM_ANALYSIS

  • Category: Example: SYSTEM

  • Operation:Examples: CREATE RULE, UPDATE RULE, DELETE RULE

  • Parameters: Placeholder for the following keys:

    • Epl Module Identifier: unique identifier for the rule. Example: esa000155

    • Esper Instance: Esper instance on which rule is deployed. Example: default

    • Epl Rule Enabled: Displays if the rule is enabled or not. Example: EPL Rule Enabled: false

    • Trial Rule: Displays if the rule is configured as a trial rule or not. Example: Trial Rule: true

    • Epl Rule: Displays the rule syntax. Example:

      "Epl Rule: /*\nVersion: 2\n*/\n\nmodule Module_esa000155;\n\n\n@Name(\'Module_esa000155_Alert\')\n@RSAAlert(oneInSeconds=0, identifiers={\"alias_host\"})\n\nSELECT * FROM Event(\n\t/* Statement: User permission change */\n\t(medium = 32 AND device_type = \'awscloudtrail\' AND event_desc IN (\'CreateUser\'))\n\tOR\n\t/* Statement: Instance state change */\n\t(medium = 32 AND device_type = \'awscloudtrail\' AND event_desc IN (\'TerminateInstances\' , \'RunInstances\'))\n\t).win:time(310 seconds)\n\tMATCH_RECOGNIZE (\n\tPARTITION BY alias_host\n\tMEASURES E1 as e1_data , E2 as e2_data\n\tPATTERN (E1+ E2)\n\tDEFINE\n\tE1 as E1.medium = 32 AND E1.device_type = \'awscloudtrail\' AND E1.event_desc IN (\'CreateUser\'),\n\tE2 as E2.medium = 32 AND E2.device_type = \'awscloudtrail\' AND E2.event_desc IN (\'TerminateInstances\' , \'RunInstances\')\n);\n\n"

    • Identity: Example: "admin"

    • userRole: Example: "ROLE_ESA_ADMINISTRATOR"

Note: When a rule is disabled, two logs are generated for the same rule. First a ‘Delete Rule’ [Rule enabled attribute = true] audit log is created, followed by a ‘Create Rule’ [Rule enabled attribute =false] audit log.

Verify ESA Server Version

  1. Use ssh to connect to the ESA service and log in as the root user.
  2. Type the following command and press ENTER:
    rpm -qa | grep rsa-nw-esa-server
    The ESA server version is displayed.
Next Topic:References
You are here
Table of Contents > Additional ESA Correlation Rules Procedures > Audit Logs and Verify ESA Component Versions and Status

Attachments

    Outcomes