RSA enVision Event Source Update #84 is complete and ready for download at:
Event Source Update: RSA enVision 4.1
Note: RSA has discontinued support for enVision 4.0 and earlier systems.
From the previous month, this package includes additions and updates to the following content:
New Event Sources
Support for the following product has been added for this release:
- Radiator Radius Server
Updated Event Sources
Support for the following product versions have been added for this release:
- Barracuda WAF version 7.9.2
- Cisco IronPort ESA added Syslog collection
The following Event Sources have had updates for this release:
- Cisco Adaptive Security Appliance
- Cisco Secure IDS or IPS
- Cisco IronPort ESA
- F5 Big-IP Local Traffic Manager
- FireEye Web Malware Protection System
- Fortinet FortiGate
- IBM ISS SiteProtector
- Juniper Networks Intrusion Detection and Prevention
- Juniper Networks SSL VPN
- McAfee Firewall Enterprise
- McAfee Network Security Platform
- Microsoft Forefront Endpoint Protection 2010
- Microsoft Internet Information Services
- RSA Auth Manager and User Credential Manager
- SonicWALL Firewall
- Sourcefire Defense Center/SNORT
- Symantec Endpoint Protection
- Websense Web Security
Note: If you are running RSA enVision 4.1 SP 1 on Windows 2008, you cannot install the updates for Microsoft SQL Server.
Important! If you choose to install Content 2.0 updates for Windows Event (NIC) or Microsoft Exchange, or standard content update for Microsoft SQL Server, you must install EBF ENV-36943. This hot fix is required for the Windows Eventing Collector Service to start. For details, contact RSA enVision Customer Support, at email@example.com.
The date of the VAM Update that is included with this Event Source Update is 18 June 2015.
RSA enVision 4.1 SP1 may encounter a termination of the Webserver service when logging on after the ESU is applied. This is often the result of a report limitation that is reached due to the increased number of event source XMLs being loaded on the enVision server. Although this issue is resolved in Service Pack 1 Patch 1, there is a workaround available now.
To enable this workaround:
- On the A-SRV, stop the NIC Scheduler service via services.msc.
- On the A-SRV, start the NIC Webserver service via services.msc if it is not already started.
- Open the enVision interface, and navigate to Overview > System Configuration > Devices > Manage Device Types.
- Disable device types that are not being used.
- Stop the Webserver service, and start the Scheduler service.
- Start the Webserver and Alerter services.
EVENT EXPLORER ERROR - PREMATURE END OF FILE
Event Explorer may encounter a premature end of file error while processing event source data from enVision. This is often the result of the enVision server running out of available memory due to the increased number of event source XMLs being loaded on the enVision server. You can reduce the memory usage by disabling support for event source types not in use in your environment.
SPECIAL NOTE FOR RULE UPDATES
The delivery of Content 2.0 rules is now sensitive to the version of event source (device) XMLs delivered. If the Content 2.0 rules are going to be delivered, but not all the v2.0 device XMLs that depend on them are being delivered, a screen displays showing which Content 2.0 event sources must also be selected to eliminate the conflict.
CLIENT-SIDE CONTENT UPDATE
The Client-Side Content Update package contains content updates to the RSA Event Source Integrator (ESI) content scheme and RSA enVision Event Explorer as an alternative to downloading the enVision Event Source Update package. The Installer provides a more portable content installer for RSA enVision components that do not require the entire Event Source Update package for updates.
- The monthly Event Source Update package is cumulative. When run, it updates all event source content in the package to the latest version, if not yet at that version. (Note, however, that users can select which event sources to install.)
- The package also includes a recent VAM & Signature Content Update. If you install the VAM updates regularly, the versions of some VAM sources included with the Event Source Update may be older than ones already on your system. If so, the Event Source Update will not overwrite your newer files.
- Event Source Update and VAM & Signature Update cannot be run concurrently. After starting the installation for either update, you must wait for installation to complete on all nodes before beginning to install the other.
- The following devices have issues with event time parsing: Tipping Point, Cisco IronPort WSA, EMC DPA, and Squid.
- If you want to parse Event Time to readable time, you must be running enVision 4.0 SP4. For details about the hot fix, contact RSA Technical Support.
- ESI (Event Source Integrator) Schema Update. The Event Source Update installer provides an option for updating your ESI schema.
- Manual updates to some attributes of the content made since its previous delivery will be merged, updates to some attributes will not be; see the How ESU Works section of the Getting Started chapter of the associated documentation for more details on which attributes are preserved and which are not.
- Versions of RSA enVision prior to 4.0 have a limitation on the number of event sources that can be configured. The installer displays a warning if you could possibly encounter this limitation during installation. See the documentation for details.
- RSA will use reasonable commercial efforts to support vendor products that have been designated as end of support.
- All correlation rules that have names beginning with ÔNIC*Õ are no longer delivered with the Event Source Update. The Event Source Update will not affect these rules if they are being used.
- Note that Updated enVision Help is delivered to all enVision 4.0 nodes.
CONTENT 2.0 NOTES
- Once Content 2.0 has been delivered for an event source, you must follow manual steps to roll back to the V1.0 content. For details, see the Help. Additionally, you may need to reindex your data.
- Content 2.0 features substantial improvements to the parsing of event data into the various tables that are used for queries and reports. Content 2.0 is the future direction for all event sources within the supported library. For rules and reports, note the following:
* For factory reports, as existing event sources are converted to Content 2.0, their device-specific reports are updated to work with
the new content. In some cases, class-specific reports have replaced device-specific reports.
* Factory correlated rules have been modified to take advantage of the improved tables, variables and parsing.
* Custom rules, that involve event sources updated to work with Content 2.0, need to be rewritten.
* Custom reports may not produce the same results as previously. For guidance on updating custom reports, see the
RSA enVision Content Inspection Tool document and the online Help topics that describe the Content 2.0 tables.
- For existing event source types converted to Content 2.0, events collected before the conversion must be reindexed using the enVision lsmaint command. Note the lsmaint command does not reindex events being collected during the current GMT day, so you must reindex those events the next GMT day.
A full explanation of lsmaint and how to use it is available in the enVision Help system.
If you would like to get support for additional events sources or more recent versions of existing supported event sources, please register the request using this URL: