Thank You for your replay. Below the log:
2018-11-01 15:49:58,982 [Carlos@6065f052-206] INFO com.rsa.netwitness.carlos.notification.listener.NotificationConfigurationService - API Invocation Audit: identity=XXXXXX_USER, action=SetT emplateDefinition, object=smtp.ftl;syslog.ftl;59de1b67e4b013b2ca156ce8, success=true
2018-11-01 15:49:58,991 [Carlos@55067df8-207(run(GetAvailableJdbcDrivers))(XXXXXX_USER)] INFO com.rsa.netwitness.carlos.transport.RequestChannelListener - API Invocation Audit: identity=ona qellari, action=GetAvailableJdbcDrivers, object=<all>, success=true
2018-11-01 15:49:58,998 [Carlos@1855f222-208(run(GetEplModule))(XXXXXX_USER)] INFO com.rsa.netwitness.carlos.transport.RequestChannelListener - API Invocation Audit: identity=XXXXXX_USER, ac tion=GetEplModule, object=all, success=true
2018-11-01 15:49:59,266 [Carlos@2f510013-209(run(SetEplModule))(XXXXXX_USER)] INFO com.rsa.netwitness.core.epl.EplModuleManager - Ignored set for module 59de08eae4b013b2ca156ce7(default) wi th an unchanged definition.
2018-11-01 15:49:59,267 [Carlos@2f510013-209(run(SetEplModule))(XXXXXX_USER)] INFO com.rsa.netwitness.core.epl.EplModuleManager - Ignored set for module esa000035(default) with an unchanged definition.
2018-11-01 15:49:59,267 [Carlos@2f510013-209(run(SetEplModule))(XXXXXX_USER)] INFO com.rsa.netwitness.core.epl.EplModuleManager - Ignored set for module esa000091(default) with an unchanged definition.
2018-11-01 15:49:59,267 [Carlos@2f510013-209(run(SetEplModule))(XXXXXX_USER)] INFO com.rsa.netwitness.core.epl.EplModuleManager - Ignored set for module 59e09419e4b080811cfb2023(default) wi th an unchanged definition.
2018-11-01 15:49:59,267 [Carlos@2f510013-209(run(SetEplModule))(XXXXXX_USER)] INFO com.rsa.netwitness.core.epl.EplModuleManager - Ignored set for module 59e0c941e4b080811cfb2026(default) wi th an unchanged definition.
2018-11-01 15:49:59,268 [Carlos@2f510013-209(run(SetEplModule))(XXXXXX_USER)] INFO com.rsa.netwitness.core.epl.EplModuleManager - Ignored set for module 59faeb4be4b0da193dc47f21(default) wi th an unchanged definition.
2018-11-01 15:49:59,268 [Carlos@2f510013-209(run(SetEplModule))(XXXXXX_USER)] INFO com.rsa.netwitness.core.epl.EplModuleManager - Ignored set for module esa000014(default) with an unchanged definition.
2018-11-01 15:49:59,268 [Carlos@2f510013-209(run(SetEplModule))(XXXXXX_USER)] INFO com.rsa.netwitness.core.epl.EplModuleManager - Ignored set for module esa000006(default) with an unchanged definition.
2018-11-01 15:49:59,269 [Carlos@2f510013-209(run(SetEplModule))(XXXXXX_USER)] INFO com.rsa.netwitness.core.epl.EplModuleManager - Ignored set for module esa000029(default) with an unchanged definition.
2018-11-01 15:49:59,269 [Carlos@2f510013-209(run(SetEplModule))(XXXXXX_USER)] INFO com.rsa.netwitness.core.epl.EplModuleManager - Ignored set for module esa000065(default) with an unchanged definition.
2018-11-01 15:49:59,269 [Carlos@2f510013-209(run(SetEplModule))(XXXXXX_USER)] INFO com.rsa.netwitness.core.epl.EplModuleManager - Ignored set for module 5ba2276ce4b08b1f7f58b66d(default) wi th an unchanged definition.
2018-11-01 15:49:59,269 [Carlos@2f510013-209(run(SetEplModule))(XXXXXX_USER)] INFO com.rsa.netwitness.core.epl.EplModuleManager - Ignored set for module 5ba24553e4b08b1f7f58b66e(default) wi th an unchanged definition.
2018-11-01 15:49:59,334 [Carlos@2f510013-209(run(SetEplModule))(XXXXXX_USER)] INFO com.espertech.esper.core.service.StatementLifecycleSvcImpl - Failed to compile statement: Failed to resolv e event type: Event type or class named 'User_Whitelist' was not found
com.espertech.esper.epl.expression.core.ExprValidationException: Failed to resolve event type: Event type or class named 'User_Whitelist' was not found
at com.espertech.esper.epl.spec.FilterStreamSpecRaw.resolveType(FilterStreamSpecRaw.java:211)
at com.espertech.esper.epl.spec.FilterStreamSpecRaw.compile(FilterStreamSpecRaw.java:121)
at com.espertech.esper.core.service.StatementLifecycleSvcImpl.compile(StatementLifecycleSvcImpl.java:1139)
at com.espertech.esper.core.service.StatementLifecycleSvcImpl.compile(StatementLifecycleSvcImpl.java:1126)
at com.espertech.esper.core.service.StatementLifecycleSvcImpl.createStopped(StatementLifecycleSvcImpl.java:277)
at com.espertech.esper.core.service.StatementLifecycleSvcImpl.createStoppedAssignName(StatementLifecycleSvcImpl.java:199)
at com.espertech.esper.core.service.StatementLifecycleSvcImpl.createAndStart(StatementLifecycleSvcImpl.java:153)
at com.espertech.esper.core.service.EPAdministratorImpl.createEPLStmt(EPAdministratorImpl.java:118)
at com.espertech.esper.core.service.EPAdministratorImpl.createEPL(EPAdministratorImpl.java:92)
at com.espertech.esper.core.deploy.EPDeploymentAdminImpl.deployInternal(EPDeploymentAdminImpl.java:176)
at com.espertech.esper.core.deploy.EPDeploymentAdminImpl.deploy(EPDeploymentAdminImpl.java:98)
at com.rsa.netwitness.core.cep.ESPEREngine.deployModule(ESPEREngine.java:571)
at com.rsa.netwitness.core.cep.RoutingESPEREngine.deployModule(RoutingESPEREngine.java:448)
at com.rsa.netwitness.core.epl.EplModuleManager.deployModule(EplModuleManager.java:705)
at com.rsa.netwitness.core.epl.EplModuleManager.setModules(EplModuleManager.java:385)
at com.rsa.netwitness.core.api.epl.EplModuleListener.SetEplModule(EplModuleListener.java:120)
at sun.reflect.GeneratedMethodAccessor458.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.rsa.netwitness.common.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:459)
at com.rsa.netwitness.common.util.ReflectionUtils.invoke(ReflectionUtils.java:477)
at com.rsa.netwitness.common.listener.AbstractRequestHandler.onRequest(AbstractRequestHandler.java:110)
at sun.reflect.GeneratedMethodAccessor319.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:198)
at com.sun.proxy.$Proxy70.onRequest(Unknown Source)
at com.rsa.netwitness.carlos.transport.spi.AbstractMessageChannel$5.run(AbstractMessageChannel.java:633)
at com.rsa.netwitness.carlos.common.SharedThreadPoolExecutor$TagExclusiveRunnable.run(SharedThreadPoolExecutor.java:100)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
2018-11-01 15:49:59,335 [Carlos@2f510013-209(run(SetEplModule))(XXXXXX_USER)] WARN com.rsa.netwitness.core.epl.EplModuleManager - Esper deployment of module "Logins across Multiple Servers" (id=esa000168(default)) failed. Reason: Deployment failed in module 'Module_esa000168' in module url 'esa000168' in expression '@Name('Module_esa000168_Alert') @RSAAlert(identif...(504 ch ars)' : Failed to resolve event type: Event type or class named 'User_Whitelist' was not found [@Name('Module_esa000168_Alert')
@RSAAlert(identifiers={"user_dst"})
@UsesEnrichment(name="User_Whitelist")
SELECT * FROM Event(
ec_activity='Logon'
AND ip_dst IS NOT NULL
AND user_dst IS NOT NULL
AND NOT EXISTS (SELECT * FROM User_Whitelist WHERE (LIST = Event.user_dst.toLowerCase()))
AND NOT EXISTS (SELECT * FROM User_Whitelist WHERE (LIST = Event.user_dst))
).std:groupwin(user_dst).win:time_length_batch(300 seconds, 3).std:unique(ip_dst) group by user_dst having count(*) = 3]
2018-11-01 15:49:59,337 [Carlos@2f510013-209(run(SetEplModule))(XXXXXX_USER)] INFO com.rsa.netwitness.core.epl.EplModuleManager - Registered a module with identifier esa000168(default)
2018-11-01 15:49:59,341 [Carlos@2f510013-209(run(SetEplModule))(XXXXXX_USER)] INFO com.rsa.netwitness.carlos.config.ConfigurationMXBean - EplModuleManager changed by XXXXXX_USER
