Troubleshoot ESA

On the NetWitness Platform Dashboard, the ESA service appears in red to indicate it is offline.

In the (Configure) > ESA Rules view, the following message appears: "The Service is either offline or not reachable."

When an ESA Correlation service is offline, there are many possible causes. However, a common issue is that you have created a rule that uses excessive memory and causes the ESA service to fail. To troubleshoot this problem, see Steps to Troubleshoot Memory Issues with an ESA Service Offline.

Other common causes might be that your firewall is blocking the connection between the ESA and NetWitness Platform, or the ESA Correlation service machine may be down.

To bring up ESA Services:

Go to (Admin) > Services, select your ESA service, and then select > Start.

If your ESA service is stopping and restarting in a loop, you may need to call Customer Support to get the services to start.

On the NetWitness Platform Dashboard, the ESA service appears in red to indicate it is offline.

In the (Configure) > ESA Rules view, the following message appears: "The Service is either offline or not reachable.

If your system has been recently upgraded, you may have made a configuration error.

Go to (Admin) > Services, select your ESA service and then select > Edit. In the Edit Service dialog, click Test Connection. If the connection fails, you likely have a configuration error. Attempt to fix your configuration error and try again.

The most likely cause for this error is a connectivity issue between the ESA Correlation service and a data source used in an ESA rule deployment, such as a Concentrator or Decoder.

1. Restart the ESA Correlation service.
2. Go to (Admin) > Services, select your ESA service and then select > Restart.
3. Check the connectivity from ESA to the data source. Look for connection errors in the ESA Correlation logs. You can use SSH to get in the system and go to: /var/log/netwitness/correlation-server/correlation-server.log.

For example:

Error: com.rsa.netwitness.streams.
RecordStreamException: admin@ :56005::
com.rsa.netwitness.streams.RecordStreamException:
connect::com.rsa.asoc.transport.nw.session.
NextgenException: Failed to connect to
:56005

If there are network connectivity issues, fix the issues and then restart the ESA Correlation service again to see if it fixes the problem.

If you have a data source with intermittent connectivity, you should remove it from the ESA rule deployment.

Each rule in RSA Live has a description that includes the parameters you must configure and prerequisites for your environment. Review this description to see if the rule is appropriate for your environment.

To ensure that you deploy rules safely in your environment, configure new rules as trial rules to test them in your environment. Trial rules add a safeguard for testing new rules. For details on this, see Deploy Rules as Trial Rules.

I imported a group of rules from RSA Live, and while the rules deployed without errors, they were later disabled.

Not all RSA Live rules are meant for every environment. You may not have the correct meta in your ESA for the rule to run.

You can verify that a rule was disabled by going to (Configure) > ESA Rules > Services > Deployed Rule Stats. If the rule is disabled, the green icon does not display next to the rule.

If a rule deployed correctly but was disabled, check the logs for exceptions related to the rule. Specifically, check to see if the rules were disabled due to missing meta. To do this, go to the ESA Correlation logs. You can use SSH to get in the system and go to: /var/log/netwitness/correlation-server/correlation-server.log.

Then, search for a message similar to the following:

"Property named ‘ ' is not valid in any stream"

For example, you might see:

Failed to validate filter expression '(medium=1 and streams=2 or medium=3...(238 chars)': Property named 'tcp_flags_seen' is not valid in any stream

If a similar message displays, you may need to add a custom meta key to the Log Decoder or Concentrator. To do this, follow these instructions: "Create Custom Meta Keys Using Custom Feed" in the Decoder and Log Decoder Configuration Guide.

I have an ESA rule that is not getting deployed and is not creating alerts.

A meta key that the rule uses is a string array type, but it shows as a string type on ESA.

Check to see if any string array meta keys that the rule uses are configured as string array types on ESA. Go to (Configure) > ESA Rules > Settings tab (Meta Key References).

• If it shows string[], it is configured as a string array type on ESA. This is fine.
• If it shows string without the brackets, it is configured as a string type and you need to fix it on ESA.

In the ESA Correlation service Explore view, go to correlation/stream. Add string array meta keys to the multi-valued list to allow them to be used as an array in ESA rules. Go back to the Meta Key References and click the refresh icon (). Verify that the meta keys with a string array type show a value of .string[]. For additional details, see "Configure Meta Keys as Arrays in ESA Correlation Rules" in the ESA Configuration Guide.

I set up notifications for a rule, but we are not receiving them. The correlation-server.log file does not show any errors. Why?

Correlation-server successfully sent the notification messages to integration-server, but when integration-server tried to send the notifications to their destination, it failed.

When troubleshooting notifications, check both the ESA Correlation service log files (/var/log/netwitness/correlation-server/correlation-server.log) AND the Integration-Server log files on the NetWitness Server (/var/log/netwitness/integration-server/integration-server.log). For an example, see Integration-Server SMTP Notification Error Example.

Note: For any notification-related troubleshooting, check the integration-server log file in addition to the log file of the service creating the notification.

I created a rule with an enrichment, added an SMTP notification, and deployed my rule. We are not receiving SMTP notifications. Why?

You do not have a template that met the criteria to parse the events.

Check the ESA Correlation service log files to see if the SMTP notification failed: /var/log/netwitness/correlation-server/correlation-server.log. For more details on the notification error, check the Integration-Server log file on the NetWitness Server (also known as Node 0, Admin server, or NWServer): /var/log/netwitness/integration-server/integration-server.log.

If you use an ESA rule that has an enrichment, such as a Context Hub list, you must create a custom template. You can duplicate a default template and adjust it for your enrichment. See SMTP Notification Error Example below for a notification error example.

For information on creating a custom ESA template, see "Define a Template for ESA Alert Notifications" in the System Configuration Guide.

Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.

Check the Offered Rate statistic on the (Configure) > ESA Rules > Services tab. Select the ESA service and then look at the statistics on the tab for the Deployment.

If the Offered Rate is zero, then the ESA service is not receiving data from Concentrators. Check the ESA Correlation log files for connectivity issues: /var/log/netwitness/correlation-server/correlation-server.log.

If the offered rate is not zero, the meta key name and type used in the rule likely doesn't match the meta key present in events. Check to see if the meta key name and type used in the rule is valid by searching for the meta key name in (Configure) > ESA Rules > Settings tab (Meta Key References).

If a specific rule is not firing, go to (Configure) > ESA Rules > Services to see if the rule was disabled. In the Deployed Rule Stats section, a rule that is disabled displays a clear enabled button (instead of the green enabled button).

You can also check Events Matched field. Go to (Configure) > ESA Rules > Services. From there, you can see the number of events that were matched in the Events Matched column.

If no events matched, check the logic of your rule for errors. For example, check the syntax for uppercase and lowercase errors, and check the time window. If the rule still doesn't fire, consider simplifying the logic of the rule to see if it fires when there is less complexity.

Deploy the ESA rule deployments again. Create a Deployment steps in the Live Services Management Guide provides more information on deploying rules using the ESA Correlation service.

If this does not resolve the issue, check the ESA Correlation log files for more information: /var/log/netwitness/correlation-server/correlation-server.log.

After an update or upgrade to 11.3.0.2 or later, if I try to make an adjustment to some rules, I get an error when trying to save them.

The Ignore Case option may be selected for a meta key that does not contain alphabetic values, such as IP address.

In NetWitness Platform 11.3.0.2 and later, the Ignore Case option has been removed from the ESA Rule Builder - Build a Statement dialog for meta keys that do not contain text values. Adding Ignore Case on meta keys which do not contain alphabetic values causes additional processing to occur for no added benefit.

In the ESA Rule Builder - Build a Statement dialog, check to see if you have any meta keys that do not contain alphabetic characters, for example, ip_src and ip_dst. If you do, clear the Ignore Case checkbox for those meta keys and try to save the rule again.

The following steps apply to all released versions of NetWitness 11.3 and later. In 11.4 and later, you do not need to follow these steps for data privacy. However, you need to follow these steps if you want to enable the Pivot to Investigate > Navigate link accessed from a context tooltip in the Respond Incident Details view.

1. Add the ESA generated event_source_id meta key to the index-concentrator-custom.xml file.
2. Add the event_source_id meta key to the SELECT statement within any ESA rule that does not select every piece of metadata from the session.

3. After the Concentrator changes take effect, redeploy the ESA rule deployment that contains the ESA rule.

To do this, see Update any ESA Rule that Selects Only Certain Meta Keys from the Session to Include event_source_id.

For NetWitness 11.4 and later, to resolve the data privacy issue, see How to Remove Sensitive Meta Keys Globally from All Alerts.

The Pivot to Investigate > Navigate link does not work in a context tooltip accessed from Respond.

In ESA rules that do not select every piece of meta from the session (that is, using select *), you may see that data privacy (if enabled) and the Pivot to Investigate > Navigate link accessed from a context tooltip in the Respond Incident Details view does not work.

For NetWitness 11.3 and later (including 11.4), see Update any ESA Rule that Selects Only Certain Meta Keys from the Session to Include event_source_id.

The optional data source filter is available in NetWitness 11.5 and later.

If an application rule linked to a data source filter is modified on a Decoder, the filter must be removed, added again, and redeployed. The changes take effect on ESA after the deployment is redeployed.

I added a data source filter to the data sources in my ESA rule deployment and I see an "Invalid header size" error while communicating with Core services in the ESA Correlation log file.

You are filtering out a large portion of the traffic and less sessions match the aggregation criteria.

In the Explore view node list for an ESA Correlation service, select correlation > stream. Decrease the max-sessions parameter from 10,000 to a lower session count and restart the ESA Correlation service. For step-by-step instructions, see .

Do not rename or delete a Context Hub list that is used in a deployed ESA rule. ESA Correlation will also not be able to access a Context Hub list if you delete it and then add it again with the same name while the rule is deployed.

If you rename a Context Hub list or recreate the Context Hub list with the same name, update the ESA rules that use that Context Hub list, and then redeploy the ESA rule deployments that contain those rules.