000016927 - Lsdata Utility Instructions for RSA enVision

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000016927
Applies ToEnvision (All Currently Supported Versions)
Lsdata
IssueLsdata Utility Instructions
What is the purpose of the lsdata.exe utility and how do I use it?
Resolution
You can use the lsdata utility to extract events directly from the Envision database.

To run the lsdata command, you should be logged in as the master account with a command prompt open in the %_ENVISION%\bin directory (this is where the lsdata command resides). For a multi-node installation (LS stack), you should be logged into the D-SRV.

The format of the lsdata command is:

Lsdata ?events <format> -time <starting time> <ending time> -devices <device specifications>

For each parameter, if you run lsdata ?help <parameter>, the ldata utility shows you the supported syntax.

So, for example, running lsdata ?help events returns a detailed screen showing all of the different formats in which you can export your data:

   -events <type>

      <type>               type specifier for the type of statistics data to be returned

         format

         ------

         Syslog            Syslog {mmm dd HHmmss [Device] Event}

         SyslogEx          Syslog Extended {yyyy/mm/dd HHmmss.sss [Device] Event}

         SyslogEid         Syslog Extended {yyyy/mm/dd HHmmss.sss [EID] [Device] Event}

         SyslogCsv         csv {yyyymmddHHmmss.sss,EID,Domain,Site,DeviceSet,DeviceIP,SeverityLevel,PayLoad}

         SyslogCsvUtc      csv {MillisecondUTC,EID,Domain,Site,DeviceSet,DeviceIP,SeverityLevel,PayLoad}

         ParsedCsv         csv parsed data

         SyslogParsedCsv   Both the Syslog and ParsedCsv data 

The lsdata command also defines alias equivalents for the most common commands:

Alias Equivalents:

   lsdata -d  0            alias for "lsdata -events Syslog"

   lsdata -d  1            alias for "lsdata -events SyslogEx"

   lsdata -d  2            alias for "lsdata -events ParsedCsv"

The ?time parameters are in the form yyyymmddhhmm. One minute?s worth of data is the smallest interval on which you can extract.

Finally, the ?devices argument has four fields:

   -devices "<devicespec>" "<devicespec>"..."<devicespec>"

      <devicespec>         specification for device(s)

                           double quoted to prevent cmd shell from handling special characters

         format

         ------

         [[[<site>:]<deviceset>:]<devicestype>:]<device>[<eventspec>]

         <site>            name of the site where the data is located

         <deviceset>       name of the device set associated with the device(s)

         <devicetype>      name of the devicetype associated with the device(s)

         <device>          name of device

                           wildcard characters "*" and "?" can be used in any

                           of the site, deviceset, devicetype, or device values.

                           The device value also supports "[n]"

            examples

            --------

            192.168.1.202          ipaddress

            *                      all devices

            192.168.1.[1]*         all devices within the 192.168.1.100 to 192.168.1.199 range

            10.1[01].*             all devices with an starting address of 10.10 or 10.11

            *.*.5.*                all devices with third octet value of 5

            ciscopix:*             all devices that are of type ciscopix

            netscreen:*            all devices that are of type netscreen

            SITE1:SITE1-DS1:nic:*  all devices that are of type nic located on SITE1'S DS1 node

         <eventspec>       event type specification

                           eventtypes separated by "|" character

            examples

            --------

            106006|302006    include event types 106006 and 302006

         <devicespec> examples

         ---------------------

         ciscopix:*,netscreen;*,ds1:*:*

         ds1:ciscopix:*,ds2:*:ip3

         ip1(et1|et2),ds2:ciscopix:*(et4|et5)

         ciscopix:*|ds2:*:ip2|ip3(et1|et2),toplayer:*(et4|et5)

So, assuming you wanted to retrieve the data from January 1, 2012 to January 7 2012 for all of your Cisco ASA firewalls and you wanted that data in Syslog format, you would run the following command:

lsdata ?d 0 ?time 20120101 20120107 ?devices ?ciscoasa:*? > results.txt
Legacy Article IDa63342

Attachments

    Outcomes