Article Number
000040010
Applies To
Product Set: NetWitness Platform
Product/Service Type: Security Analytics Server
Version/Condition: 11.5.x
Platform: CentOS
O/S Version: 7
Issue
After upgrading from 11.3.x to 11.5.x, the ESA service stopped aggregating data from the source Concentrators.
/var/log/netwitness/correlation-server/correlation-server.log shows warnings like below.
WARN c.r.n.s.p.DefaultRecordStreamPolicy|Source admin@<Concentrator_IP>:50005 reported an error, retry after 10 seconds. Error: com.rsa.netwitness.streams.RecordStreamException: admin@<Concentrator_IP>:50005:java.nio.channels.UnresolvedAddressException
Running '
curl -v <Concentrator_IP>:50005' command from the ESA hosts confirms a successful connection to the concentrator.
Cause
The issue may occur when /etc/hosts on the ESA host does not contain the UUID and IP entry of the source Concentrators.
Resolution
In order to resolve the issue, please modify /etc/hosts on the ESA host to include an entry for all source Concentrators in the following format.
<Host IP> <Host_UUID> <Host_UUID>.netwitness
For example,
10.10.14.41 a71aa275-b95e-4d62-b17d-0c8907cdf0c1 a71aa275-b95e-4d62-b17d-0c8907cdf0c1.netwitness
After making the change, monitor /var/log/netwitness/correlation-server/correlation-server.log to confirm the warning no longer appears and also the Offered Rate under Configure-ESA RULES-Services.
