This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Knowledge Base Archive
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The UsingEventTime property is set incorrectly on ESA appliances running RSA Security Analytics 10.5 and above

Article Number

000032867

Applies To

RSA Product Set: Security Analytics
RSA Product/Service Type: Event Stream Analysis (ESA)
RSA Version/Condition: 10.5.x, 10.6.x
Platform: CentOS
Platform (Other): Esper
O/S Version: EL6

Issue

The default setting for the UsingEventTime property shipped with the ESA on version 10.5.x and above is incorrectly set to false by default.

Cause

The ESA appliance is powered by Esper and is designed to live in the state of 'NOW' and does not read the system clock.
Security Analytics can pass the event time to the ESA and normally does so by default. In 10.5.x versions the default setting to do this was inadvertently disabled.

Resolution

To resolve this issue you will need to go to the explore view of the ESA and change the setting by following the steps below.
  1. In the Security Analytics UI, navigate to Administration -> Services.
  2. Find the ESA service, click on the gear icon to its right, and select View -> Explore.
  3. In the directory structure that presents itself on the left, click the + next to CEP and then click the + next to Engine.
  4. Click on the cepEngine listing and the window on the right of the screen will populate with information.
  5. Search for the string UsingEventTime, which will be set to false, and change the setting to true.
    Image descriptionImage description

Once this setting is changed you will need to restart the ESA service with the steps below.
  1. In the Security Analytics UI, navigate to Administration -> Services.
  2. Find the ESA service, click on the gear icon to its right, and select Restart.

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-13 12:29 AM
Updated by:
Administrator Administrator

Related Content

© 2022 RSA Security LLC or its affiliates. All rights reserved.