Article Number
000001436
Applies To
RSA Product Set: Security Analytics, NetWitness Logs & Network
RSA Product/Service Type: Event Stream Analysis (ESA), User Interface
RSA Version/Condition: 10.6.x.x
Platform: CentOS
Issue
This issue is reported when the Event Stream Analysis interface is changed as required by a customer.
However, iptables entries are going back to the default interface every time it is restarted or rebooted and puppet agent -t executes and the RSA Event Stream Analysis appliance.
Cause
A customer was previously using em1 and has now moved the interface to em2, changing the iptables entry (replacing em1 with em2). However, whenever the server is restarted or rebooted and puppet agent -t executes, the iptable entries revert back to using the em1 interface.
Below is the location of iptables on the RSA Event Stream Analysis Server which shows the interface.
#cat /etc/sysconfig/iptables
-A OUTPUT -o em1 -p tcp -m multiport --sports 50030 -m comment --comment "2 ESA ActiveMQ OUT" -m state --state ESTABLISHED -j ACCEPT
Running ifconfig shows the interface actually being used.
Verify that the connection from the RSA Security Analytics server to the RSA Event Stream Analysis connection is not successful on port 50030 when the iptable service is running. SSH to RSA Security Analytics Server and run the following:
# curl -v <RSA Event Stream Analysis IP>:50030
Resolution
To resolve the issue,
- SSH to the RSA Security Analytics server appliance.
- Open /etc/puppet/modules/esa/manifests/init.pp in a text editor.
- Find the section with keyword management, where it says:
firewall {'1 ESA ActiveMQ IN':
chain => 'INPUT',
iniface => $management_interface,
proto => 'tcp',
source => $sa_server,
dport => 50030,
state => ['NEW','ESTABLISHED'],
action => 'accept'
}
firewall {'2 ESA ActiveMQ OUT':
chain => 'OUTPUT',
outiface => $management_interface,
proto => 'tcp',
sport => 50030,
state => 'ESTABLISHED',
action => 'accept'
}
- Modify the string of $management_interface with the interface which you wish to use. For instance, em2, as shown:
firewall {'1 ESA ActiveMQ IN':
chain => 'INPUT',
iniface => em2,
proto => 'tcp',
source => $sa_server,
dport => 50030,
state => ['NEW','ESTABLISHED'],
action => 'accept'
}
firewall {'2 ESA ActiveMQ OUT':
chain => 'OUTPUT',
outiface => em2,
proto => 'tcp',
sport => 50030,
state => 'ESTABLISHED',
action => 'accept'
}
- Save and exit.
- The configuration updates are pushed every 30 minutes to the appliances so there is no need to perform any further actions.