Skip to content
  • There are no suggestions because the search field is empty.

[Archive] Changing ESA Variable Type in RSA Security Analytics 10.5

Issue

If a session contains more than 1 value for a particular meta, only the first value gets read by ESA (given that the type of that particular meta is String)


Tasks

Changing the meta type from String to String Array so that all the values of that particular meta in a single session are read by ESA. ​


Resolution

Assuming you want to change the ‘ip_addr’ meta type, which is by default string to string array. 

SSH to ESA Appliance

Navigate to /opt/rsa/esa/conf and edit the below files
 
1. eplModuleManager.json
 
Change the value of 
‘ip_addr’ string to  ‘ip_addr’ string[]
 
2. nextgenAggregationSource.json

Locate the below line

{"key": "ArrayFieldNames","value": {"type": "String","string": "action,alias_host,alias_ip,alias_ipv6,email,username"}}

Add the ‘ip_addr’ meta after username meta so that the line finally looks like the below: 
 
{"key": "ArrayFieldNames","value": {"type": "String","string": "action,alias_host,alias_ip,alias_ipv6,email,username,ip_addr"}}
 
Finally restart the ESA service (service rsa-esa restart).

Product Details

RSA Product Set: Security Analytics
RSA Product/Service Type: SA Event Stream Analysis
RSA Version/Condition: 10.5.x

Approval Reviewer Queue

Technical approval queue