Creating new tables
after creating a few UDS for several custom devices (tables form DBS, unique applications etc.) i have come to a problem that keeps bugging me, do i have to stick to the already defined category tables in the enVision like Database or Acees Control when creating a new device or can i create new tables that suits to my needs - it's abosord to try to adjust every possible device to an existing table let's take for example - AS400 Razlee firewall events - this device generates a 30~40 fileds events how can i "bend" the fileds to fit in an already defined table?
so no i can't fully analyze the events because 70%~ of the fildes can not be related to an existing table.
if anyone knows if and how to add new tables i'll be greatful for the help.
The thing to keep in mind as a UDS developer is that you can mask a lot of things the end user may see.
It is quite common to run into logs from event sources that contain data that doesn't appear to map well to any particular enVision database table/field. This is where you need to get creative.
Pick the closest table possible with the number of fields you need, assign what you can to the fields that make the most sense, and then after that you'll need to just map the oddball fields to what remains. Just make sure you document what you do with comments in your XML file so you have something to back to.
Remember - when you create reports later on, you can always change the column names so they display a title more in alignment with what the data actually is.
While Matt gives some great guidance to work with the current product, this is a major area for future improvement (2009 and beyond). We're working on such things as a new taxonomy, which will give you more granularity in mapping messages to event types.
We're also working on a new relational analysis tier, so that customers can extend the schema and do all sorts of cool reporting using the flexibility that relational db's provide.
Does that mean IPDB goes away? Nope. This will complement it; I'd encourage you to watch out for a product roadmap webcast that will be advertised on this community soon.
Hi, IhaveanideawhichstaysomewherebetweenyoursuggestionandRoy'srequest. MaybeRSAshouldextendDBschemabyaddingoneadditionnaltablecalled "Generic", withsomemostcommonfieldslike: timestamp, devicetype, devicesaddress, username, sourceanddestinationaddress, andseveral (10-20) additionalfields (bothnumericandtextual) foradditionalinfosuppliedbyUDSdevelopper. ItwouldnotleadtoconfusionwhenforexampleintofirewallaccountingtableIputaccountingdatafromPBS (itwillspoilseveralfirewall'sreports. Itshouldbeknowntoeveryuser/developer, thatgenerictableisdesignedforsuchusage.
Good suggestion. We are going down this path for the 50 or so most common variables coming from log message parsers. Stay tuned for whether this arrives in Version 4.0 (late 2008) or the following release.
thaks for the responses, i have another idea - as i becaming more and more familar with the uds files - i find it a bit of a problematic that i have to write a specifiec message for each and every single events cousing sometimes the uds files to contain houndred to thouends of messages, why not alow the write of a generic format and an exeption rule at the end of the uds that will cath all the unparsed events?
i'll explain myself - let's say that i'm reading an application events from a DB table - the format is always the same
but i still have o define eache and every message by the messageid filed cousing me overhead of the file and i also need to map every single event that the application create, a thing that by itself is most diffcult and most of the impossible at all because i can't get an access to this info or the cooperation of the devlopers - so now i'm missing a lot of events that i need to go back everytime and cross check the uds file with the raw data, not to mention systems that keeps updating on a regular basis like - IDS/IPS/AV etc.
and the exption rule - basicly should have the headers correct and the message should contain every payload that i havn't already defind, this will allow me to see every message that i've missed so i can update the uds accordingly.
I have a table for example "Database Audit" and the fields are:
Do you have any documents where explain what are the fields:
TRUE, CHART, INT1, NULL, 32, 32_2, 32_3, HOST, RESERVED, DOUBLE1, etc
envent_type, permissions, db_process, uhost, msg_id, etc.
I have a problem with uhost fileld with SAP device, this field is not visible on QUERY tool or reports
The xml´s fragment is:
content="<@eventtime:*EVNTTIME($MSG,'%W%M%D %H%U%S',date,time)><@:*SYSVAL($MSGID,$ID1)><@action:Logon Failed> <host>||<fld1>||<fld2>||<date> <space>||<time> <space>||<terminal>||<username>||<uhost>||<trans_id>||<node>||<fld3>||<fld4>||<event_type>||<mode>||<fld5>||Logon Failed (Reason =<error>, Type =<fld6> <space>||<fld7>||<fld8>||<fld9>||<fld10>||<fld11>||<fld12>" />
I think that I need add the column "uhost" on the table Database Audit
..but this is not running, I don´t know what values add for CAHR and CHAR64_9, and if this is ok
Thanks a lot!
CHAR64_9 is not a valid variable.
If you are going to be doing this, you MUST use the variables listed in the variables.ini file.
For the record, this is not an officially supported procedure, and as a result there is no documentation. You break it, you own it.