RSA, The Security Division of EMC, announces the release of RSA enVision Event Source Update 84

Document created by RSA Admin Employee on Sep 8, 2015Last modified by RSA Link Team on Mar 14, 2016
Version 3Show Document
  • View in full screen mode


RSA enVision Event Source Update #84 is complete and ready for download at:



Event Source Update: RSA enVision 4.1

Note: RSA has discontinued support for enVision 4.0 and earlier systems.



From the previous month, this package includes additions and updates to the following content:



New Event Sources


Support for the following product has been added for this release:

  • Radiator Radius Server


Updated Event Sources


Support for the following product versions have been added for this release:



  • Barracuda WAF version 7.9.2
  • Cisco IronPort ESA added Syslog collection



The following Event Sources have had updates for this release:


  • Cisco Adaptive Security Appliance
  • Cisco Secure IDS or IPS
  • Cisco IronPort ESA
  • F5 Big-IP Local Traffic Manager
  • FireEye Web Malware Protection System
  • Fortinet FortiGate
  • IBM ISS SiteProtector
  • Juniper Networks Intrusion Detection and Prevention
  • Juniper Networks SSL VPN
  • Linux
  • McAfee Firewall Enterprise
  • McAfee Network Security Platform
  • Microsoft Forefront Endpoint Protection 2010
  • Microsoft Internet Information Services
  • RSA Auth Manager and User Credential Manager
  • SonicWALL Firewall
  • Sourcefire Defense Center/SNORT
  • Symantec Endpoint Protection
  • Websense Web Security


Note: If you are running RSA enVision 4.1 SP 1 on Windows 2008, you cannot install the updates for Microsoft SQL Server.

Important! If  you choose to install Content 2.0 updates for Windows Event (NIC) or  Microsoft Exchange, or standard content update for Microsoft SQL Server,  you must install EBF ENV-36943. This hot fix is required for the  Windows Eventing Collector Service to start. For details, contact RSA  enVision Customer Support, at


The date of the VAM Update that is included with this Event Source Update is 18 June 2015.


RSA  enVision 4.1 SP1 may encounter a termination of the Webserver service  when logging on after the ESU is applied. This is often the result of a  report limitation that is reached due to the increased number of event  source XMLs being loaded on the enVision server. Although this issue is  resolved in Service Pack 1 Patch 1, there is a workaround available now.

To enable this workaround:

  1. On the A-SRV, stop the NIC Scheduler service via services.msc.
  2. On the A-SRV, start the NIC Webserver service via services.msc if it is not already started.
  3. Open the enVision interface, and navigate to Overview > System Configuration > Devices > Manage Device Types.
  4. Disable device types that are not being used.
  5. Stop the Webserver service, and start the Scheduler service.
  6. Start the Webserver and Alerter services.


Event  Explorer may encounter a premature end of file error while processing  event source data from enVision. This is often the result of the  enVision server running out of available memory due to the increased  number of event source XMLs being loaded on the enVision server. You can  reduce the memory usage by disabling support for event source types not  in use in your environment.


The  delivery of Content 2.0 rules is now sensitive to the version of event  source (device) XMLs delivered. If the Content 2.0 rules are going to be  delivered, but not all the v2.0 device XMLs that depend on them are  being delivered, a screen displays showing which Content 2.0 event  sources must also be selected to eliminate the conflict.


The  Client-Side Content Update package contains content updates to the RSA  Event Source Integrator (ESI) content scheme and RSA enVision Event  Explorer as an alternative to downloading the enVision Event Source  Update package. The Installer provides a more portable content installer  for RSA enVision components that do not require the entire Event Source  Update package for updates.


  • The  monthly Event Source Update package is cumulative. When run, it updates  all event source content in the package to the latest version, if not  yet at that version. (Note, however, that users can select which event  sources to install.)
  • The package also includes a recent VAM  & Signature Content Update. If you install the VAM updates  regularly, the versions of some VAM sources included with the Event  Source Update may be older than ones already on your system. If so, the  Event Source Update will not overwrite your newer files.
  • Event  Source Update and VAM & Signature Update cannot be run concurrently.  After starting the installation for either update, you must wait for  installation to complete on all nodes before beginning to install the  other.
  • The following devices have issues with event time parsing: Tipping Point, Cisco IronPort WSA, EMC DPA, and Squid.
  • If  you want to parse Event Time to readable time, you must be running  enVision 4.0 SP4. For details about the hot fix, contact RSA Technical  Support.
  • ESI (Event Source Integrator) Schema Update. The Event Source Update installer provides an option for updating your ESI schema.
  • Manual  updates to some attributes of the content made since its previous  delivery will be merged, updates to some attributes will not be; see the  How ESU Works section of the Getting Started chapter of the associated  documentation for more details on which attributes are preserved and  which are not.
  • Versions of RSA enVision prior to 4.0 have a  limitation on the number of event sources that can be configured. The  installer displays a warning if you could possibly encounter this  limitation during installation. See the documentation for details.
  • RSA will use reasonable commercial efforts to support vendor products that have been designated as end of support.
  • All  correlation rules that have names beginning with ÔNIC*Õ are no longer  delivered with the Event Source Update. The Event Source Update will not  affect these rules if they are being used.
  • Note that Updated enVision Help is delivered to all enVision 4.0 nodes.


  • Once  Content 2.0 has been delivered for an event source, you must follow  manual steps to roll back to the V1.0 content. For details, see the  Help. Additionally, you may need to reindex your data.
  • Content  2.0 features substantial improvements to the parsing of event data into  the various tables that are used for queries and reports. Content 2.0 is  the future direction for all event sources within the supported  library. For rules and reports, note the following: 
    *   For factory  reports, as existing event sources are converted to Content 2.0, their  device-specific reports are updated to work with 
        the new content. In some cases, class-specific reports have replaced device-specific reports. 
    *   Factory correlated rules have been modified to take advantage of the improved tables, variables and parsing. 
    *   Custom rules, that involve event sources updated to work with Content 2.0, need to be rewritten. 
    *   Custom reports may not produce the same results as previously. For guidance on updating custom reports, see the 
       RSA enVision Content Inspection Tool document and the online Help topics that describe the Content 2.0 tables.
  • For  existing event source types converted to Content 2.0, events collected  before the conversion must be reindexed using the enVision lsmaint command. Note the lsmaint command does not reindex events being collected during the current GMT day, so you must reindex those events the next GMT day.

A full explanation of lsmaint and how to use it is available in the enVision Help system.


If  you would like to get support for additional events sources or more  recent versions of existing supported event sources, please register the  request using this URL: