This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2008-07-21 12:24 PM

Creating new tables

Hi,

 

after creating a few UDS for several custom devices  (tables form DBS, unique applications etc.) i have come to a problem that keeps bugging me, do i have to stick to the already defined category tables in the enVision like Database or Acees Control when creating a new device or can i create new tables that suits to my needs - it's abosord to try to adjust every possible device to an existing table let's take for example - AS400 Razlee firewall events - this device generates a 30~40 fileds events how can i "bend" the fileds to fit in an already defined table?

so no i can't fully analyze the events because 70%~ of the fildes can not be related to an existing table.

if anyone knows if and how to add new tables i'll be greatful for the help.

thanks

0 Likes
Reply
8 Replies
RSAAdmin
Beginner
Beginner
‎2008-07-22 10:04 AM

Hello Roy,

 

The thing to keep in mind as a UDS developer is that you can mask a lot of things the end user may see.

 

It is quite common to run into logs from event sources that contain data that doesn't appear to map well to any particular enVision database table/field.  This is where you need to get creative.

 

Pick the closest table possible with the number of fields you need, assign what you can to the fields that make the most sense, and then after that you'll need to just map the oddball fields to what remains.  Just make sure you document what you do with comments in your XML file so you have something to back to.

 

Remember - when you create reports later on, you can always change the column names so they display a title more in alignment with what the data actually is.

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2008-07-22 11:32 AM

Hi,

 

While Matt gives some great guidance to work with the current product, this is a major area for future improvement (2009 and beyond).  We're working on such things as a new taxonomy, which will give you more granularity in mapping messages to event types. 

 

We're also working on a new relational analysis tier, so that customers can extend the schema and do all sorts of cool reporting using the flexibility that relational db's provide.

 

Does that mean IPDB goes away?  Nope.  This will complement it; I'd encourage you to watch out for a product roadmap webcast that will be advertised on this community soon.

 

Best, Don

0 Likes
Reply
GrzegorzFlak
Beginner
Beginner
In response to RSAAdmin
‎2008-07-22 11:32 AM

Hi, IhaveanideawhichstaysomewherebetweenyoursuggestionandRoy'srequest. MaybeRSAshouldextendDBschemabyaddingoneadditionnaltablecalled "Generic", withsomemostcommonfieldslike: timestamp, devicetype, devicesaddress, username, sourceanddestinationaddress, andseveral (10-20) additionalfields (bothnumericandtextual) foradditionalinfosuppliedbyUDSdevelopper. ItwouldnotleadtoconfusionwhenforexampleintofirewallaccountingtableIputaccountingdatafromPBS (itwillspoilseveralfirewall'sreports. Itshouldbeknowntoeveryuser/developer, thatgenerictableisdesignedforsuchusage.

WhatdoYouthinkaboutmyidea?

 

Bestregads

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to GrzegorzFlak
‎2008-07-22 01:07 PM

Hi,

 

Good suggestion.  We are going down this path for the 50 or so most common variables coming from log message parsers.  Stay tuned for whether this arrives in Version 4.0 (late 2008) or the following release.

 

Best, Don

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2008-07-23 03:08 AM

Hi all,

 

thaks for the responses, i have another idea - as i becaming more and more familar with the uds files - i find it a bit of a problematic that i have to write a specifiec message for each and every single events cousing sometimes the uds files to contain houndred to thouends of messages, why not alow the write of a generic format and an exeption rule at the end of the uds that will cath all the unparsed events?

i'll explain myself - let's say that i'm reading an application events from a DB table - the format is always the same

but i still have o define eache and every message by the messageid filed cousing me overhead of the file and i also need to map every single event that the application create, a thing that by itself is most diffcult and most of the impossible at all because i can't get an access to this info or the cooperation of the devlopers - so now i'm missing a lot of events that i need to go back everytime and cross check the uds file with the raw data, not to mention systems that keeps updating on a regular basis like - IDS/IPS/AV etc.

and the exption rule - basicly should have the headers correct and the message should contain every payload that i havn't already defind, this will allow me to see every message that i've missed so i can update the uds accordingly.

thanks

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to GrzegorzFlak
‎2008-07-28 02:08 AM

This is a very good idea. I think that it will solve us most of such problems.

 

Moshe

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2008-11-16 06:11 PM

Hi,

 

I have a table for example "Database Audit" and the fields are:

 

tamp,Date/Time,TRUE,TIMESTAMP,24,RESERVED,RESERVED,NULL
msg_id,MessageID,TRUE,CHAR,64,RESERVED,RESERVED,NULL
eventtime,EventDate/Time,TRUE,CHAR,32,eventtime,CHAR32_1,NULL
c_systemname,OracleVersion,TRUE,CHAR,64,dbversion,CHAR64_1,NULL
host,SystemName,TRUE,CHAR,32,host,CHAR32_2,NULL
os,OperatingSystem,TRUE,CHAR,24,os,CHAR24_1,NULL
node,NodeName,TRUE,CHAR,24,node,CHAR24_2,NULL
instance,InstanceName,TRUE,CHAR,32,instance,CHAR32_3,NULL
sessionid,SessionId,TRUE,CHAR,16,sessionid,CHAR16_1,NULL
db_process,DatabaseProcessID,TRUE,INT,0,db_pid,INT1,NULL

permissions,Permissions,TRUE,DOUBLE,0,permissions,DOUBLE1,NULL
event_type,EventSubClass,TRUE,CHAR,64,event_type,CHAR64_5,NULL

 

...and more

 

Do you have any documents where explain what are the fields:

 

TRUE, CHART, INT1, NULL, 32, 32_2, 32_3, HOST, RESERVED, DOUBLE1, etc

and

envent_type, permissions, db_process, uhost, msg_id, etc.

 

I have a problem with uhost fileld with SAP device, this field is not visible on QUERY tool or reports

The xml´s fragment is:

 

  content="<@eventtime:*EVNTTIME($MSG,'%W%M%D %H%U%S',date,time)><@:*SYSVAL($MSGID,$ID1)><@action:Logon Failed> <host>||<fld1>||<fld2>||<date> <space>||<time> <space>||<terminal>||<username>||<uhost>||<trans_id>||<node>||<fld3>||<fld4>||<event_type>||<mode>||<fld5>||Logon Failed (Reason =<error>, Type =<fld6&gt:smileywink: <space>||<fld7>||<fld8>||<fld9>||<fld10>||<fld11>||<fld12>" />
  

I think that I need add the column "uhost" on the table Database Audit 

For example:

 

uhost,UserHostName,TRUE,CHAR,128,uhost,CHAR64_9,NULL

 

..but this is not running,  I don´t know what values add for CAHR and CHAR64_9, and if this is ok

 

Thanks a lot!

 

 

Allan Hougham

 

 

 

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2008-11-17 08:02 AM

CHAR64_9 is not a valid variable. 

 

If you are going to be doing this, you MUST use the variables listed in the variables.ini file.

 

For the record, this is not an officially supported procedure, and as a result there is no documentation.  You break it, you own it. :smileywink:

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.