This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2011-04-06 02:47 PM

Change a device type without affecting historical logs?

I have an IP address that's configured as multi-device (UNIX AIX and Oracle) in order to collect both AIX and Oracle logs from that device.

 

However for some unknown reason the enVision one day automatically created a third device type for this same IP called "Juniper JUNOS" and so now about half of the AIX logs for this IP are received/stored in the enVision as UNIX AIX logs, and the other half are received/stored as Juniper JUNOS logs.

 

It is as if there was a log event on that AIX server that occured one day that the enVision recognized as a Juniper JUNOS type of event, and so the enVision automatically created the new device type for this IP.

 

I don't think it's possible, but I wanted to confirm if there is a way to move back the logs for this IP recorded as Juniper JUNOS logs into the UNIX AIX logs, and to delete the Juniper JUNOS device. 

0 Likes
Reply
2 Replies
RSAAdmin
Beginner
Beginner
‎2011-04-07 08:53 AM

Unfortunately no - once logs have been identified and indexed as a particlar event source type there is no way to change them within the UI.

 

It is possible to export them via lsdata and then reinject them - then depending on the changes made they might be discovered correctly upon reinsertion, but your collection timestamp will be different if you do that. 

 

>>It is as if there was a log event on that AIX server that occured one day that the enVision recognized as a Juniper JUNOS type of event, and so the enVision automatically created the new device type for this IP.

 

This would happen if the AIX event source had been set as a multidevice and an unrecognized event showed up.  From that point forward, any other events unrecognized as AIX events that matched the Juniper JUNOS event format would be deposited there.

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-04-08 10:46 AM

>>This would happen if the AIX event source had been set as a multidevice and an unrecognized event showed up.  From that point forward, any other events unrecognized as AIX events that matched the Juniper JUNOS event format would be deposited there.

 

Yeah that's what I thought.  Given that I'm collecting two types of logs for this same IP, I need to have multidevice checked.  Perhaps if there was a checkbox next to multidevice that you could check that would tell the RSA "Don't try to discover new device types for this IP address." so that if an unknown event type comes in that happens to look like the logs for device type X, the RSA doesn't create a new series of logs for device type X.

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.