000024630 - Adding Cached Variables in Correlated Rules

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000024630
Applies ToenVision 3.X
IssueAdding Cached Variables in Correlated Rules
Cached variables do not save the cached information correctly from the events. The cached variable information needs to be added manually to the correlated rule''s xml file directly.
Resolution

First, locate the rule on the enVision server (Asrv for LS). The rule is located in the %_ENVISION%\etc\devices\correlation_xxxx folder.

Open the file with notepad. The added line will be the second line in the xml. It will be added after the <cad timestamp> line.

Add the cached variable line using the following options:

For variables within an event
This will cache the listed variable. You can have as many as three. Examples:
<thread value="1" set="laddr"/>
<thread value="1" set="laddr:faddr"/>
<thread value="1" set="laddr:faddr:ldtype"/>

To cache based on the source of the event
These values are static: domain=NIC LS domain name, site=sitename, node=nodename, and addr=device IP address. Examples:
< thread value =" 1 " set =" faddr:laddr " devalue =" addr " />
< thread value =" 1 " set =" faddr:laddr " devalue =" node:addr " />
< thread value =" 1 " set =" faddr:laddr " devalue =" site:node:addr " />
< thread value =" 1 " set =" faddr:laddr " devalue =" domain:site:node:addr " />

Note: The value "thread value =?1?" means it will cache up to 1024 instance of it. This can be increased, but 1 is the recommended value for performance.

Legacy Article IDa36671

Attachments

    Outcomes