Major setback with ESA - "No rules found"
Was making progress configuring Alerts in ESA and Incident Management. However today I went to the ESA -> Configure option and all my custom rules are missing.
Has anyone encountered this issue? All of the important rules are still synchronized, but not available in the "All rules" section.
No way to back them up now either. Is there a way to pull synchronized rules from the ESA database?
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
Well this is not happened with me but I found one thing that after receiving the alerts on the ESA after that I am not able to access the incident management by any way.
I am getting an error msg on the im.
According to me you can take the backup of your rules thru
/rsa/reporting enginer/rsa/soc/repoting engine logs.
I will share the exact path soon.
Technical Consultant - Information Security
Ended up having to rebuild all the ESA rules by hand with help from professional services.
Before patching make sure you backup all of your rules.
It may be a best practice to shutdown the ESA service and others before patching to mitigate the risk of losing your ESA rules.