Skip to content
  • There are no suggestions because the search field is empty.

ESA Correlation and Contexthub Services Offline in GUI After Reprovisioning Due to Old Service ID in Orchestration

Issue

After changing the IP Address or doing a full reprovision of an ESA/Correlation Server, the service may show as offline in the UI, despite appearing to run normally when reviewing the service status and logs via the CLI. 

ESA Correlation and Contexthub Services Offline in GUI After Reprovisioning Due to Old Service ID in Orchestration

ESA SSH confirms services are running via the following commands, but ESA services appear offline in the GUI.

[root@NW11-ESAPRIMARY ~]# systemctl status rsa-nw-correlation-server | head -5
● rsa-nw-correlation-server.service - Event Streaming Correlation
Loaded: loaded (/usr/lib/systemd/system/rsa-nw-correlation-server.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/rsa-nw-correlation-server.service.d
└─rsa-nw-correlation-server-opts-managed.conf
Active: active (running) since Thu 2025-03-27 20:50:42 UTC; 30s ago


[root@NW11-ESAPRIMARY ~]# systemctl status rsa-nw-contexthub-server | head -5
● rsa-nw-contexthub-server.service - ContextHub Server
Loaded: loaded (/usr/lib/systemd/system/rsa-nw-contexthub-server.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/rsa-nw-contexthub-server.service.d
└─rsa-nw-contexthub-server-opts-managed.conf
Active: active (running) since Thu 2025-03-27 20:50:35 UTC; 53s ago

Cause

The issue occurs due to an old service ID in orchestration, which may have occurred during the IP change or reprovision. Use below commands to validate service-id details.

ESA:

cat /etc/netwitness/correlation-server/service-id :
54416a50-3fda-4cec-80e3-51c18164fce6
cat /etc/netwitness/contexthub-server/service-id :
eb012059-200e-4f41-91fc-dda390102288

AdminServer: Note the mismatch on the returned service IDs below:
orchestration-cli-client -s | grep -i "correlation\|contexthub" 

[root@NEW-NW11-NW-NODE-ZERO ~]# orchestration-cli-client -s | grep -i "correlation\|contexthub"

2025-03-27T20:52:39.653Z INFO 2892621 --- [orchestration-client] [ main] c.r.n.i.o.c.OrchestrationApplication : Service: ID=d6403287-6614-475e-a2f1-2d37f67d5f50, NAME=correlation-server, HOST=192.168.5.167:7014, TLS=true
2025-03-27T20:52:39.653Z INFO 2892621 --- [orchestration-client] [ main] c.r.n.i.o.c.OrchestrationApplication : Service: ID=5d326887-b6db-49a4-afce-6b374156b03f, NAME=contexthub-server, HOST=192.168.5.167:7005, TLS=true

Resolution

Follow the steps below to bring the services online in the UI:

    1. Run the following commands in AdminServer to update the service IDs:
      orchestration-cli-client --update-service-id --old-id ID=d6403287-6614-475e-a2f1-2d37f67d5f50 --new-id 54416a50-3fda-4cec-80e3-51c18164fce6
      orchestration-cli-client --update-service-id --old-id ID=5d326887-b6db-49a4-afce-6b374156b03f --new-id eb012059-200e-4f41-91fc-dda390102288

      Note: Choose service-id details according to customer environment

    2. Execute the following commands to restart the services in ESA:
      systemctl restart rsa-nw-correlation-server
      systemctl restart rsa-nw-contexthub-server
    3. After a few minutes, navigate to GUI → Admin → Services
    4. Ensure that the services now appear online.
      ESA Correlation and Contexthub Services Offline in GUI After Reprovisioning Due to Old Service ID in Orchestration


      Product Details

      NetWitness Product Set: NetWitness Logs & Network
      NetWitness Product/Service Type: ESA Correlation, Contexthub
      NetWitness Version/Condition: 12.X
      Platform: AlmaLinux 


      Approval Reviewer Queue

      Technical approval queue