This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by NetWitness experts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Event Stream Analysis (ESA) service is reported to be down after modifying the interfaces in RSA Security Analytics 10.6.x

Article Number

000001436

Applies To

RSA Product Set: Security Analytics, NetWitness Logs & Network
RSA Product/Service Type: Event Stream Analysis (ESA), User Interface
RSA Version/Condition: 10.6.x.x
Platform: CentOS

 

Issue

This issue is reported when the Event Stream Analysis interface is changed as required by a customer.
However, iptables entries are going back to the default interface every time it is restarted or rebooted and puppet agent -t executes and the RSA Event Stream Analysis appliance.

 

Cause

A customer was previously using em1 and has now moved the interface to em2, changing the iptables entry (replacing em1 with em2). However, whenever the server is restarted or rebooted and puppet agent -t executes, the iptable entries revert back to using the em1 interface. 

Below is the location of iptables on the RSA Event Stream Analysis Server which shows the interface.  
#cat /etc/sysconfig/iptables 
-A OUTPUT -o em1 -p tcp -m multiport --sports 50030 -m comment --comment "2 ESA ActiveMQ OUT" -m state --state ESTABLISHED -j ACCEPT 
Running ifconfig shows the interface actually being used.

Verify that  the connection from the RSA Security Analytics server to the RSA Event Stream Analysis connection is not successful on port 50030 when the iptable service is running.  SSH to RSA Security Analytics Server and run the following:

# curl -v <RSA Event Stream Analysis IP>:50030

Resolution

To resolve the issue,

  1. SSH to the RSA Security Analytics server appliance.
  2. Open /etc/puppet/modules/esa/manifests/init.pp in a text editor.
  3. Find the section with keyword management, where it says:
firewall {'1 ESA ActiveMQ IN': 
chain => 'INPUT', 
iniface => $management_interface, 
proto => 'tcp', 
source => $sa_server, 
dport => 50030, 
state => ['NEW','ESTABLISHED'], 
action => 'accept' 
} 

firewall {'2 ESA ActiveMQ OUT': 
chain => 'OUTPUT', 
outiface => $management_interface, 
proto => 'tcp', 
sport => 50030, 
state => 'ESTABLISHED', 
action => 'accept'
}
  1. Modify the string of $management_interface with the interface which you wish to use. For instance, em2, as shown:
firewall {'1 ESA ActiveMQ IN': 
chain => 'INPUT', 
iniface => em2, 
proto => 'tcp', 
source => $sa_server, 
dport => 50030, 
state => ['NEW','ESTABLISHED'], 
action => 'accept' 
} 

firewall {'2 ESA ActiveMQ OUT': 
chain => 'OUTPUT', 
outiface => em2,
proto => 'tcp', 
sport => 50030, 
state => 'ESTABLISHED', 
action => 'accept'
}
  1. Save and exit. 
  2. The configuration updates are pushed every 30 minutes to the appliances so there is no need to perform any further actions.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2022-02-10 01:52 PM
Updated by:
Administrator Administrator

Related Content

© 2022 RSA Security LLC or its affiliates. All rights reserved.