Skip to content
  • There are no suggestions because the search field is empty.

Cannot access custom Esper Java Libraries in NetWitness 11.3

Issue

In NetWitness Platform 11.3.x, it is slightly more difficult to enable custom Esper Java libraries for those customers who have built their own EPL extensions in Java.  For those customers, upgrading to 11.3.x can create an issue with their alerts that previously used their custom EPL extensions. Without the extended rules (Esper + Java Libraries), customers do not have full visibility of some pattern detection which increases noise for their Analysts, decreasing their productivity.

Workaround

The known fix for this issue is as follows:
  1. For NetWitness Platform 11.3.x, ensure that the custom library JAR file and all the sources are compiled in JDK 1.8.
  2. SSH to the Event Stream Analysis (ESA) server and login with root/user credentials.
  3. Modify the JAVA_OPTS variable in /etc/netwitness/correlation-server/correlation-server.conf to add the parameter -Dloader.path= to load the new java class files. See the following example:
JAVA_OPTS="XX:+UseG1GC -Djava.security.egd=file:/dev/./urandom ${JAVA_MAX_HEAP_GB:-Xmx164G} -Dloader.path=/opt/rsa/lib/myjar/ -javaagent:/var/lib/netwitness/esper-enterprise/esperee-utilagent-8.2.0.jar"
  1. Save and exit the correlation-server.conf.
  2. Copy the attached esper-config.xml file to a local folder on the ESA server. The preferred folder is /opt/rsa/lib for this file.
  3. Modify the esper-config.xml file in the local folder to include the custom functions created in the Java code.
  4. In NetWitness Platform,
    1. Go to Admin > Services.
    2. Select the ESA Correlation service.
    3. Select Action (Red Gear) > View > Explore.
    4. In the Explore view node list on the left side, select Correlation > Esper.
  5. Edit config-resource and change the path to the local ESA folder that contains the esper-config.xml file. See the following example:
file:/opt/rsa/lib/esper-config.xml
  1. Restart the Correlation service:
    1. From the UI, go to Admin > Services, select the ESA Correlation service
    2. Select Action (Red Gear) > Restart.
    3. From the command line, type the following and press Enter:
systemctl restart rsa-nw-correlation-server

Notes

For the NetWitness 11.4 version of this article, see  000001843 - Cannot access custom Esper Java libraries in RSA NetWitness Platform 11.4

Product Details

RSA Product Set: NetWitness Platform
RSA Product/Service Type: ESA host, ESA Correlation service
RSA Version/Condition: 11.3.x

Summary

Having difficulty enabling custom content in 11.3.x for the Event Stream Analysis in NetWitness Platform? Review this knowledge base article to find the steps to address this issue.


Approval Reviewer Queue

Technical approval queue