000035194 - RSA NetWitness java.lang.IllegalArgumentException: Invalid connection: statement "58f757820cf26f1d4423f737" is unknown

Document created by RSA Customer Support Employee on Nov 16, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035194
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Event Stream Analysis
RSA Version/Condition: 10.5.x and 10.6.x
Issue- Not able to deploy updated-rules to the current-running ESA service due to below error: 

java.lang.IllegalArgumentException: Invalid connection: statement "58f757820cf26f1d4423f737" is unknown

Cause- There is a logic error with one of the updated ESA rules, causing inability to deploy it and the other updated rules. 
  • You need to identify the rule-name relevant to the displayed-string in the error message "highlighted-in-red". That String itself is called the ESA rule identifier. 
  • Please follow below-steps to know the ESA rule-name: 

- SSH to the ESA Appliance and execute below commands:
#/opt/rsa/esa/client/bin/esa-client --profiles carlos
#epl-module-get  "String_appearing_in_Error_message"

  • You will get an output similar to the below,  look for the filed name which as shown below in  RED color: 

"identifier" : "58f757820cf26f1d4423f737",
    "name" : "SMB RUle",
    "severity" : 5,
    "notification_binding" : [ {
      "provider_id" : "58eb978a0cf26f1d4423f6e0",
      "instance_id" : "58f6023c0cf26f1d4423f72b",
      "template_id" : "58ede8ea0cf26f1d4423f704"
    } ],
    "esper_instance" : "default",
    "trial" : false
  }, {

  • Navigate to the SA UI, Alerts, Configure, Deployments, ESA Rules, search for the ESA rule with it's name and remove it. [Note: this action only remove the rule from the list of current deployed rules on your ESA and it will remain available for required amendments under the "Rule Library"].
  • The rule can be isolated away from production to get it's  logic fixed then re-deployed again.