RSA Product Set: NetWitness Platform RSA Product/Service Type: ESA host/ESA Correlation service RSA Version/Condition: 11.3.x
In RSA NetWitness Platform 11.3.x, it is slightly more difficult to enable custom Esper Java libraries for those customers who have built their own EPL extensions in Java. For those customers, upgrading to 11.3.x can create an issue with their alerts that previously used their custom EPL extensions. Without the extended rules (Esper + Java Libraries), customers do not have full visibility of some pattern detection which increases noise for their Analysts, decreasing their productivity.
The known fix for this issue is as follows:
For RSA NetWitness Platform 11.3.x, ensure that the custom library JAR file and all the sources are compiled in JDK 1.8.
SSH to the Event Stream Analysis (ESA) server and login with root/user credentials.
Modify the JAVA_OPTS variable in /etc/netwitness/correlation-server/correlation-server.conf to add the parameter -Dloader.path=<path to jar file/folder that contains the custom java code> to load the new java class files. See the following example: