Resolution | - You need to identify the rule-name relevant to the displayed-string in the error message "highlighted-in-red". That String itself is called the ESA rule identifier.
- Please follow below-steps to know the ESA rule-name:
- SSH to the ESA Appliance and execute below commands: #/opt/rsa/esa/client/bin/esa-client --profiles carlos #carlos-connect #epl-module-get "String_appearing_in_Error_message"
- You will get an output similar to the below, look for the filed name which as shown below in RED color:
"identifier" : "58f757820cf26f1d4423f737", "name" : "SMB RUle", "severity" : 5, "notification_binding" : [ { "provider_id" : "58eb978a0cf26f1d4423f6e0", "instance_id" : "58f6023c0cf26f1d4423f72b", "template_id" : "58ede8ea0cf26f1d4423f704" } ], "esper_instance" : "default", "trial" : false }, {
- Navigate to the SA UI, Alerts, Configure, Deployments, ESA Rules, search for the ESA rule with it's name and remove it. [Note: this action only remove the rule from the list of current deployed rules on your ESA and it will remain available for required amendments under the "Rule Library"].
- The rule can be isolated away from production to get it's logic fixed then re-deployed again.
|