RSA, The Security Division of EMC, announces the release of RSA enVision Event Source Update 80

Document created by RSA Admin Employee on Jun 8, 2015Last modified by RSA Link Team on Mar 14, 2016
Version 3Show Document
  • View in full screen mode

Summary:

 

RSA enVision Event Source Update #80 is complete and ready for download at:
https://knowledge.rsasecurity.com/scolcms/sets.aspx?product=content_updates&_v=download

 

 

Platform:

Event Source Update: RSA enVision 4.1

Note: RSA has discontinued support for enVision 4.0 and earlier systems.

 

 

Description

From the previous month, this package includes additions and updates to the following content:

  

 

New Event Source

  • F5 Big-IP Advanced Firewall Manager
  

 

Updated Event Sources

  

Support for the following product versions have been added for this release:

 
  • Cisco Identity Services Engine v 1.3
  • Cisco IDS or IPS v 7.2
  • F5 Big-IP Access Policy Manager v 11.4 HF4
  • Juniper Networks SSL VPN v 8.0 R7.1
  • Network Appliance Data ONTAP v 8.1.1 and v8.2
 

 

The following Event Sources have had updates for this release:

 

 

 
  • Cisco LAN Management Solution
  • Cisco Wireless LAN Controller
  • EMC Clariion or VNX
  • Enterasys Dragon
  • IBM iSeries
  • IBM ISS SiteProtector
  • IBM Mainframe ICSF
  • IBM Mainframe IDMS
  • IBM Mainframe RACF
  • Juniper Networks IDP
  • Juniper Networks JUNOS
  • Linux
  • McAfee Network Security Platform
  • Microsoft Windows
  • Microsoft WSUS (documentation update only)
  • Oracle Access Manager
  • SNORT/Sourcefire Defense Center
  • Symantec Endpoint Protection
  

 

Note: If you are running RSA enVision 4.1 SP 1 on Windows 2008, you cannot install the updates for Microsoft SQL Server.

  

Important! If you choose to install Content 2.0 updates for Windows Event (NIC) or Microsoft Exchange, or standard content update for Microsoft SQL Server, you must install EBF ENV-36943. This hot fix is required for the Windows Eventing Collector Service to start. For details, contact RSA enVision Customer Support, at nic-support@rsa.com.

VAM UPDATE

 

The date of the VAM Update that is included with this Event Source Update is 7 May 2015.

 WEBSERVER ERROR

 

RSA enVision 4.1 SP1 may encounter a termination of the Webserver service when logging on after the ESU is applied. This is often the result of a report limitation that is reached due to the increased number of event source XMLs being loaded on the enVision server. Although this issue is resolved in Service Pack 1 Patch 1, there is a workaround available now.

To enable this workaround:

  1. On the A-SRV, stop the NIC Scheduler service via services.msc.
  2. On the A-SRV, start the NIC Webserver service via services.msc if it is not already started.
  3. Open the enVision interface, and navigate to Overview > System Configuration > Devices > Manage Device Types.
  4. Disable device types that are not being used.
  5. Stop the Webserver service, and start the Scheduler service.
  6. Start the Webserver and Alerter services.
 

EVENT EXPLORER ERROR - PREMATURE END OF FILE

 

Event Explorer may encounter a premature end of file error while processing event source data from enVision. This is often the result of the enVision server running out of available memory due to the increased number of event source XMLs being loaded on the enVision server. You can reduce the memory usage by disabling support for event source types not in use in your environment.

 

SPECIAL NOTE FOR RULE UPDATES

 

The delivery of Content 2.0 rules is now sensitive to the version of event source (device) XMLs delivered. If the Content 2.0 rules are going to be delivered, but not all the v2.0 device XMLs that depend on them are being delivered, a screen displays showing which Content 2.0 event sources must also be selected to eliminate the conflict.

 

CLIENT-SIDE CONTENT UPDATE

 

The Client-Side Content Update package contains content updates to the RSA Event Source Integrator (ESI) content scheme and RSA enVision Event Explorer as an alternative to downloading the enVision Event Source Update package. The Installer provides a more portable content installer for RSA enVision components that do not require the entire Event Source Update package for updates.

 

NOTES

  • The monthly Event Source Update  package is cumulative. When run, it updates all event source content in  the package to the latest version, if not yet at that version. (Note,  however, that users can select which event sources to install.)
  • The  package also includes a recent VAM & Signature Content Update. If  you install the VAM updates regularly, the versions of some VAM sources  included with the Event Source Update may be older than ones already on  your system. If so, the Event Source Update will not overwrite your  newer files.
  • Event Source Update and VAM & Signature Update  cannot be run concurrently. After starting the installation for either  update, you must wait for installation to complete on all nodes before  beginning to install the other.
  • The following devices have issues with event time parsing: Tipping Point, Cisco IronPort WSA, EMC DPA, and Squid.
  • If  you want to parse Event Time to readable time, you must be running  enVision 4.0 SP4. For details about the hot fix, contact RSA Technical  Support.
  • ESI (Event Source Integrator) Schema Update. The Event Source Update installer provides an option for updating your ESI schema.
  • Manual  updates to some attributes of the content made since its previous  delivery will be merged, updates to some attributes will not be; see the  How ESU Works section of the Getting Started chapter of the associated  documentation for more details on which attributes are preserved and  which are not.
  • Versions of RSA enVision prior to 4.0 have a  limitation on the number of event sources that can be configured. The  installer displays a warning if you could possibly encounter this  limitation during installation. See the documentation for details.
  • RSA will use reasonable commercial efforts to support vendor products that have been designated as end of support.
  • All  correlation rules that have names beginning with ÔNIC*Õ are no longer  delivered with the Event Source Update. The Event Source Update will not  affect these rules if they are being used.
  • Note that Updated enVision Help is delivered to all enVision 4.0 nodes.
 

CONTENT 2.0 NOTES

  • Once Content 2.0 has been delivered for an event source, you must  follow manual steps to roll back to the V1.0 content. For details, see  the Help. Additionally, you may need to reindex your data.
  • Content 2.0 features substantial improvements to the parsing of  event data into the various tables that are used for queries and  reports. Content 2.0 is  the future direction for all event sources within the supported  library. For rules and reports, note the following: 
    *   For factory reports, as existing event sources are converted to  Content 2.0, their device-specific reports are updated to work with
        the new content. In some cases, class-specific reports have replaced device-specific reports.
    *   Factory correlated rules have been modified to take advantage of the improved tables, variables and parsing.
    *   Custom rules, that involve event sources updated to work with Content 2.0, need to be rewritten.
    *   Custom reports may not produce the same results as previously. For guidance on updating custom reports, see the
       RSA enVision Content Inspection Tool document and the online Help topics that describe the Content 2.0 tables. 
  • For existing event source types converted to Content 2.0, events  collected before the conversion must be reindexed using the enVision lsmaint command. Note the lsmaint command does not reindex events being collected during the current GMT day, so you must reindex those events the next GMT day.

A full explanation of lsmaint and how to use it is available in the enVision Help system.

IMPORTANT MESSAGE:

 

If you would like to get support for additional events sources or more recent versions of existing supported event sources, please register the request using this URL:

 

http://www.rsa.com/go/partners/suggest_new.asp

Attachments

    Outcomes