000036265 - Event Stream Analysis (ESA) service is reported to be down after modifying the interfaces in RSA Security Analytics 10.6.x

Document created by RSA Customer Support Employee on Apr 19, 2018Last modified by RSA Customer Support Employee on Apr 21, 2018
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000036265
Applies ToRSA Product Set: Security Analytics, NetWitness Logs & Network
RSA Product/Service Type: Event Stream Analysis (ESA), User Interface
RSA Version/Condition: 10.6.x.x
Platform: CentOS

IssueThis issue is reported when the Event Stream Analysis interface is changed as required by a customer.
However, iptables entries are going back to the default interface every time it is restarted or rebooted and puppet agent -t executes and the RSA Event Stream Analysis appliance.
CauseA customer was previously using em1 and has now moved the interface to em2, changing the iptables entry (replacing em1 with em2). However, whenever the server is restarted or rebooted and puppet agent -t executes, the iptable entries revert back to using the em1 interface. 

Below is the location of iptables on the RSA Event Stream Analysis Server which shows the interface. 

#cat /etc/sysconfig/iptables 
-A OUTPUT -o em1 -p tcp -m multiport --sports 50030 -m comment --comment "2 ESA ActiveMQ OUT" -m state --state ESTABLISHED -j ACCEPT 

Running ifconfig shows the interface actually being used.

Verify that  the connection from the RSA Security Analytics server to the RSA Event Stream Analysis connection is not successful on port 50030 when the iptable service is running.  SSH to RSA Security Analytics Server and run the following:




# curl -v <RSA Event Stream Analysis IP>:50030
Resolution

To resolve the issue,



  1. SSH to the RSA Security Analytics server appliance.
  2. Open /etc/puppet/modules/esa/manifests/init.pp in a text editor.
  3. Find the section with keyword management, where it says:


firewall {'1 ESA ActiveMQ IN': 
chain => 'INPUT', 
iniface => $management_interface, 
proto => 'tcp', 
source => $sa_server, 
dport => 50030, 
state => ['NEW','ESTABLISHED'], 
action => 'accept' 


firewall {'2 ESA ActiveMQ OUT': 
chain => 'OUTPUT', 
outiface => $management_interface, 
proto => 'tcp', 
sport => 50030, 
state => 'ESTABLISHED', 
action => 'accept'
}


  1. Modify the string of $management_interface with the interface which you wish to use. For instance, em2, as shown:


firewall {'1 ESA ActiveMQ IN': 
chain => 'INPUT', 
iniface => em2
proto => 'tcp', 
source => $sa_server, 
dport => 50030, 
state => ['NEW','ESTABLISHED'], 
action => 'accept' 


firewall {'2 ESA ActiveMQ OUT': 
chain => 'OUTPUT', 
outiface => em2,
proto => 'tcp', 
sport => 50030, 
state => 'ESTABLISHED', 
action => 'accept'
}


  1. Save and exit. 
  2. The configuration updates are pushed every 30 minutes to the appliances so there is no need to perform any further actions.

Attachments

    Outcomes