Skip to content
  • There are no suggestions because the search field is empty.

NetWitness ESA stopped consuming from concentrators after upgrading

Issue

After upgrading from 11.3.x to 11.5.x, the ESA service stopped aggregating data from the source Concentrators.
/var/log/netwitness/correlation-server/correlation-server.log shows warnings like below.
WARN c.r.n.s.p.DefaultRecordStreamPolicy|Source admin@<Concentrator_IP>:50005 reported an error, retry after 10 seconds. Error: com.rsa.netwitness.streams.RecordStreamException: admin@<Concentrator_IP>:50005:java.nio.channels.UnresolvedAddressException
Running 'curl -v :50005' command from the ESA hosts confirms a successful connection to the concentrator.


Cause

The issue may occur when /etc/hosts on the ESA host does not contain the UUID and IP entry of the source Concentrators.

Resolution

In order to resolve the issue, please modify /etc/hosts on the ESA host to include an entry for all source Concentrators in the following format.

  .netwitness

For example,
10.10.14.41    a71aa275-b95e-4d62-b17d-0c8907cdf0c1 a71aa275-b95e-4d62-b17d-0c8907cdf0c1.netwitness

After making the change, monitor /var/log/netwitness/correlation-server/correlation-server.log to confirm the warning no longer appears and also the Offered Rate under Configure-ESA RULES-Services.

Product Details

Product Set: NetWitness Platform
Product/Service Type: Security Analytics Server
Version/Condition: 11.5.x
Platform: CentOS
O/S Version: 7

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue