| Resolution | - You need to identify the rule-name relevant to the displayed-string in the error message "highlighted-in-red". That String itself is called the ESA rule identifier.
- Please follow below-steps to know the ESA rule-name:
- SSH to the ESA Appliance and execute below commands:
#/opt/rsa/esa/client/bin/esa-client --profiles carlos
#carlos-connect
#epl-module-get "String_appearing_in_Error_message"
- You will get an output similar to the below, look for the filed name which as shown below in RED color:
"identifier" : "58f757820cf26f1d4423f737",
"name" : "SMB RUle",
"severity" : 5,
"notification_binding" : [ {
"provider_id" : "58eb978a0cf26f1d4423f6e0",
"instance_id" : "58f6023c0cf26f1d4423f72b",
"template_id" : "58ede8ea0cf26f1d4423f704"
} ],
"esper_instance" : "default",
"trial" : false
}, {
- Navigate to the SA UI, Alerts, Configure, Deployments, ESA Rules, search for the ESA rule with it's name and remove it. [Note: this action only remove the rule from the list of current deployed rules on your ESA and it will remain available for required amendments under the "Rule Library"].
- The rule can be isolated away from production to get it's logic fixed then re-deployed again.
|
on Nov 16, 2017