Article Number
000001909
Applies To
RSA Product Set: NetWitness Platform
RSA Product/Service Type: ESA host, ESA Correlation service
RSA Version/Condition: 11.3.x
Issue
In NetWitness Platform 11.3.x, it is slightly more difficult to enable custom Esper Java libraries for those customers who have built their own EPL extensions in Java. For those customers, upgrading to 11.3.x can create an issue with their alerts that previously used their custom EPL extensions. Without the extended rules (Esper + Java Libraries), customers do not have full visibility of some pattern detection which increases noise for their Analysts, decreasing their productivity.
Workaround
The known fix for this issue is as follows:
- For NetWitness Platform 11.3.x, ensure that the custom library JAR file and all the sources are compiled in JDK 1.8.
- SSH to the Event Stream Analysis (ESA) server and login with root/user credentials.
- Modify the JAVA_OPTS variable in /etc/netwitness/correlation-server/correlation-server.conf to add the parameter -Dloader.path=<path to jar file/folder that contains the custom java code> to load the new java class files. See the following example:
JAVA_OPTS="XX:+UseG1GC -Djava.security.egd=file:/dev/./urandom ${JAVA_MAX_HEAP_GB:-Xmx164G} -Dloader.path=/opt/rsa/lib/myjar/ -javaagent:/var/lib/netwitness/esper-enterprise/esperee-utilagent-8.2.0.jar"
- Save and exit the correlation-server.conf.
- Copy the attached esper-config.xml file to a local folder on the ESA server. The preferred folder is /opt/rsa/lib for this file.
- Modify the esper-config.xml file in the local folder to include the custom functions created in the Java code.
- In NetWitness Platform,
- Go to Admin > Services.
- Select the ESA Correlation service.
- Select Action (Red Gear) > View > Explore.
- In the Explore view node list on the left side, select Correlation > Esper.
- Edit config-resource and change the path to the local ESA folder that contains the esper-config.xml file. See the following example:
file:/opt/rsa/lib/esper-config.xml
- Restart the Correlation service:
- From the UI, go to Admin > Services, select the ESA Correlation service.
- Select Action (Red Gear) > Restart.
- From the command line, type the following and press Enter:
systemctl restart rsa-nw-correlation-server
Notes