Skip to content
  • There are no suggestions because the search field is empty.

Service is already in this deployment is returned when adding an Event Stream Analysis service in RSA NetWitness

Issue

An error similar to below occurs when trying to add an Event Stream Analysis service to ESA Services under SA Web GUI > Alerts > Configure > DEPLOYMENTS (for SA 10.x) or NW Web GUI > CONFIGURE > ESA RULES >DEPLOYMENTS (for NW 11.x).
"" Service is already in this deployment" The service "ESA - Event Stream Analysis" is already part of the deployment "TEST ESA ""

Cause

The error is returned when esaServiceInfos field in the synchronization table already contains some values. Synchronization database resides on SA server or NW Admin Server and it stores Event Stream Analysis rules & deployment details.


Resolution

  1. Open the SSH to SA Server or NW Admin Server and run the below commands to verify the deployment name.
     
    For 10.5.x and 10.6.x, perform these steps.

    An example of the expected output is shown below with the name of deployment highlighted in red.

    #mongo sa
    > db.synchronization.find().pretty()
    {
    "_id" : ObjectId("58a2af3ce4b0bca8c6393661"),
    "_class" : "com.rsa.smc.sa.esa.domain.bean.Synchronization",
    "name" : "TEST ESA",
    "esaServiceInfos" : [
    {
    "deviceId" : NumberLong(7),
    "hostname" : "x.x.x.x",
    "port" : 50030,
    "lastSuccessfulSync" : ISODate("2017-12-31T16:38:34.515Z"),
    "successfulSync" : true,
    "master" : false
    }
    ],


    For 11.x, follow these steps.

    # mongo admin -u deploy_admin -p
    Enter password:
    > show dbs
    (sa shows up)
    > use sa
    > db.synchronization.find().pretty()
    {
    "_id" : ObjectId("58a2af3ce4b0bca8c6393661"),
    "_class" : "com.rsa.smc.sa.esa.domain.bean.Synchronization",
    "name" : "TEST ESA",
          "esaServiceInfos" : [
      {
                            "deviceId" : NumberLong(7),
                            "hostname" : "x.x.x.x",
                            "port" : 50030,
                            "lastSuccessfulSync" : ISODate("2017-12-31T16:38:34.515Z"),
                            "successfulSync" : true,
                            "master" : false
                    }
            ],
     
  2. To clear esaServiceInfos field from the synchronization table in 'sa' database, run below command on SSH to SA Server or NW Admin Server
    #mongo sa
    > db.synchronization.update({name:" "},{$unset: {"esaServiceInfos": ""}}) 
    e.g.db.synchronization.update({name:"TEST ESA"},{$unset: {"esaServiceInfos": ""}}) if the name of deployment is "TEST ESA".
     
  3. Add the Event Stream Analysis service to ESA Services under SA Web GUI > Alerts > Configure > DEPLOYMENTS (for SA 10.x) or NW Web GUI > CONFIGURE > ESA RULES >DEPLOYMENTS (for NW 11.x).
    You should be successfully able to add the ESA service to ESA Services now. 

Internal Comments

Updated for NW 11.x; just did this for a customer


Product Details

RSA Product Set:- Netwitness
RSA Product/Service Type:- ESA, SA Server
RSA Version/Condition: 10.5.x, 10.6.x, 11.x
Platform: CentOS


Approval Reviewer Queue

RSA NetWitness Suite Approval Queue