This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
  • RSA.com
  • Products
    • Archer®
      • Archer®
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Knowledge Base
      • Archer® Exchange
      • Training
      • Upcoming Events
      • Videos
    • RSA® Fraud & Risk Intelligence Suite
      • RSA® Fraud & Risk Intelligence Suite
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Web Threat Detection
      • Upcoming Events
      • Videos
    • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Cloud
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Events
      • Ideas
      • Knowledge Base
      • Training
      • Upcoming Patch Content
      • Videos
    • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication Mobile SDK
      • Advisories
      • Events
      • Ideas
      • Knowledge Base
      • Request Access
      • Training
    • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Events
      • Ideas
      • Knowledge Base
      • Training
      • Videos
    • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Events
      • Ideas
      • Knowledge Base
      • Training
      • Videos
    • RSA® Adaptive Authentication for eCommerce
      • RSA® Adaptive Authentication for eCommerce
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Ideas
      • Knowledge Base
      • Training
      • Videos
    • RSA® FraudAction Services
      • RSA® FraudAction Services
      • Advisories
      • Discussions
      • Documentation
      • Ideas
      • Videos
    • RSA® Web Threat Detection
      • RSA® Web Threat Detection
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Knowledge Base
      • Videos
    • RSA NetWitness® Platform
      • RSA NetWitness® Platform
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Integrations
      • Knowledge Base
      • Training
      • Upcoming Events
      • Videos
    • RSA NetWitness® Detect AI
      • RSA NetWitness® Detect AI
      • Documentation
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
    • RSA NetWitness® Investigator
      • RSA NetWitness® Investigator
      • Documentation
      • Download the Client
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
    • RSA NetWitness® Orchestrator
      • RSA NetWitness® Orchestrator
      • Overview
      • Documentation
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
    • RSA SecurID® Suite
      • RSA SecurID® Suite
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Knowledge Base
      • Ideas
      • Integrations
      • Training
      • Videos
    • RSA® Identity Governance & Lifecycle
      • RSA® Identity Governance & Lifecycle
      • Advisories
      • Blog
      • Community Exchange
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Knowledge Base
      • Training
      • Upcoming Events
      • Videos
    • RSA SecurID® Access
      • RSA SecurID® Access
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Integrations
      • Knowledge Base
      • Training
      • Upcoming Events
      • Videos
    • Other RSA® Products
      • Other RSA® Products
      • RSA® Access Manager
      • RSA® Data Loss Prevention
      • RSA® Digital Certificate Solutions
      • RSA enVision®
      • RSA® Federated Identity Manager
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
  • Resources
    • Advisories
      • Product Advisories on RSA Link
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Hosted
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Product Advisories
    • Blogs
      • Blogs on RSA Link
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Blogs on RSA Link
    • Discussion Forums
      • Discussion Forums
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Discussion Forums on RSA Link
    • Documentation
      • Product Documentation
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Documentation on RSA Link
    • Downloads
      • Product Downloads
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Downloads on RSA Link
    • Ideas
      • Idea Exchange
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Documentation on RSA Link
    • Knowledge Base
      • Knowledge Base
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Knowledge Base Pages on RSA Link
    • Upcoming Events on RSA Link
      • Upcoming Events
    • Videos
      • Videos on RSA Link
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Videos on RSA Link
  • Support
    • RSA Link Support
      • RSA Link Support
      • News & Announcements
      • Getting Started
      • Support Forum
      • Support Knowledge Base
      • Ideas & Suggestions
    • RSA Product Support
      • RSA Product Support
      • General Security Advisories and Statements
      • Product Life Cycle
      • Support Information
      •  
      •  
      •  
      •  
      •  
  • RSA Ready
  • RSA University
    • Certification Program
      • Certification Program
    • Course Catalogs
      • Course Catalogs
      • Archer®
      • RSA NetWitness® Platform
      • RSA SecurID® Suite
    • On-Demand Subscriptions
      • On-Demand Subscriptions
      • Archer®
      • RSA NetWitness® Platform
      • RSA SecurID® Suite
    • Product Training
      • Product Training
      • Archer®
      • RSA® Fraud & Risk Intelligence Suite
      • RSA® Identity Governance & Lifecycle
      • RSA NeWitness® Platform
      • RSA SecurID® Access
    • Student Resources
      • Student Resources
      • Access On-Demand Learning
      • Access Virtual Labs
      • Contact RSA University
      • Enrollments & Transcripts
      • Frequently Asked Questions
      • Getting Started
      • Learning Modalities
      • Payments & Cancellations
      • Private Training
      • Training Center Locations
      • Training Credits
      • YouTube Channel
    • Upcoming Events
      • Upcoming Events
      • Full Calendar
      • Conferences
      • Live Classroom Training
      • Live Virtual Classroom Training
      • Webinars
Sign In Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

Visit the Known Issues dashboard if you are experiencing issues on RSA Link

View Dashboard

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
  • RSA Link
  • :
  • Products
  • :
  • Other RSA Products
  • :
  • RSA enVision
  • :
  • Discussions
  • :
  • Creating new tables
  • Options
    • Subscribe to RSS Feed
    • Mark Topic as New
    • Mark Topic as Read
    • Float this Topic for Current User
    • Bookmark
    • Subscribe
    • Mute
    • Printer Friendly Page
RSAAdmin
RSAAdmin Beginner
Beginner
‎2008-07-21 12:24 PM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Creating new tables

Hi,

 

after creating a few UDS for several custom devices  (tables form DBS, unique applications etc.) i have come to a problem that keeps bugging me, do i have to stick to the already defined category tables in the enVision like Database or Acees Control when creating a new device or can i create new tables that suits to my needs - it's abosord to try to adjust every possible device to an existing table let's take for example - AS400 Razlee firewall events - this device generates a 30~40 fileds events how can i "bend" the fileds to fit in an already defined table?

so no i can't fully analyze the events because 70%~ of the fildes can not be related to an existing table.

if anyone knows if and how to add new tables i'll be greatful for the help.

thanks

  • Tags:
  • Community Thread
  • Discussion
  • enVision
  • Forum Thread
  • RSA enVision
0 Likes
Share
Reply
  • All forum topics
  • Previous Topic
  • Next Topic
8 Replies
RSAAdmin
RSAAdmin Beginner
Beginner
‎2008-07-22 10:04 AM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Hello Roy,

 

The thing to keep in mind as a UDS developer is that you can mask a lot of things the end user may see.

 

It is quite common to run into logs from event sources that contain data that doesn't appear to map well to any particular enVision database table/field.  This is where you need to get creative.

 

Pick the closest table possible with the number of fields you need, assign what you can to the fields that make the most sense, and then after that you'll need to just map the oddball fields to what remains.  Just make sure you document what you do with comments in your XML file so you have something to back to.

 

Remember - when you create reports later on, you can always change the column names so they display a title more in alignment with what the data actually is.

0 Likes
Share
Reply
RSAAdmin
RSAAdmin Beginner
Beginner
In response to RSAAdmin
‎2008-07-22 11:32 AM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Hi,

 

While Matt gives some great guidance to work with the current product, this is a major area for future improvement (2009 and beyond).  We're working on such things as a new taxonomy, which will give you more granularity in mapping messages to event types. 

 

We're also working on a new relational analysis tier, so that customers can extend the schema and do all sorts of cool reporting using the flexibility that relational db's provide.

 

Does that mean IPDB goes away?  Nope.  This will complement it; I'd encourage you to watch out for a product roadmap webcast that will be advertised on this community soon.

 

Best, Don

0 Likes
Share
Reply
GrzegorzFlak
GrzegorzFlak Beginner
Beginner
In response to RSAAdmin
‎2008-07-22 11:32 AM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Hi, IhaveanideawhichstaysomewherebetweenyoursuggestionandRoy'srequest. MaybeRSAshouldextendDBschemabyaddingoneadditionnaltablecalled "Generic", withsomemostcommonfieldslike: timestamp, devicetype, devicesaddress, username, sourceanddestinationaddress, andseveral (10-20) additionalfields (bothnumericandtextual) foradditionalinfosuppliedbyUDSdevelopper. ItwouldnotleadtoconfusionwhenforexampleintofirewallaccountingtableIputaccountingdatafromPBS (itwillspoilseveralfirewall'sreports. Itshouldbeknowntoeveryuser/developer, thatgenerictableisdesignedforsuchusage.

WhatdoYouthinkaboutmyidea?

 

Bestregads

0 Likes
Share
Reply
RSAAdmin
RSAAdmin Beginner
Beginner
In response to GrzegorzFlak
‎2008-07-22 01:07 PM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Hi,

 

Good suggestion.  We are going down this path for the 50 or so most common variables coming from log message parsers.  Stay tuned for whether this arrives in Version 4.0 (late 2008) or the following release.

 

Best, Don

0 Likes
Share
Reply
RSAAdmin
RSAAdmin Beginner
Beginner
In response to RSAAdmin
‎2008-07-23 03:08 AM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Hi all,

 

thaks for the responses, i have another idea - as i becaming more and more familar with the uds files - i find it a bit of a problematic that i have to write a specifiec message for each and every single events cousing sometimes the uds files to contain houndred to thouends of messages, why not alow the write of a generic format and an exeption rule at the end of the uds that will cath all the unparsed events?

i'll explain myself - let's say that i'm reading an application events from a DB table - the format is always the same

but i still have o define eache and every message by the messageid filed cousing me overhead of the file and i also need to map every single event that the application create, a thing that by itself is most diffcult and most of the impossible at all because i can't get an access to this info or the cooperation of the devlopers - so now i'm missing a lot of events that i need to go back everytime and cross check the uds file with the raw data, not to mention systems that keeps updating on a regular basis like - IDS/IPS/AV etc.

and the exption rule - basicly should have the headers correct and the message should contain every payload that i havn't already defind, this will allow me to see every message that i've missed so i can update the uds accordingly.

thanks

0 Likes
Share
Reply
RSAAdmin
RSAAdmin Beginner
Beginner
In response to GrzegorzFlak
‎2008-07-28 02:08 AM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

This is a very good idea. I think that it will solve us most of such problems.

 

Moshe

0 Likes
Share
Reply
RSAAdmin
RSAAdmin Beginner
Beginner
In response to RSAAdmin
‎2008-11-16 06:11 PM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Hi,

 

I have a table for example "Database Audit" and the fields are:

 

tamp,Date/Time,TRUE,TIMESTAMP,24,RESERVED,RESERVED,NULL
msg_id,MessageID,TRUE,CHAR,64,RESERVED,RESERVED,NULL
eventtime,EventDate/Time,TRUE,CHAR,32,eventtime,CHAR32_1,NULL
c_systemname,OracleVersion,TRUE,CHAR,64,dbversion,CHAR64_1,NULL
host,SystemName,TRUE,CHAR,32,host,CHAR32_2,NULL
os,OperatingSystem,TRUE,CHAR,24,os,CHAR24_1,NULL
node,NodeName,TRUE,CHAR,24,node,CHAR24_2,NULL
instance,InstanceName,TRUE,CHAR,32,instance,CHAR32_3,NULL
sessionid,SessionId,TRUE,CHAR,16,sessionid,CHAR16_1,NULL
db_process,DatabaseProcessID,TRUE,INT,0,db_pid,INT1,NULL

permissions,Permissions,TRUE,DOUBLE,0,permissions,DOUBLE1,NULL
event_type,EventSubClass,TRUE,CHAR,64,event_type,CHAR64_5,NULL

 

...and more

 

Do you have any documents where explain what are the fields:

 

TRUE, CHART, INT1, NULL, 32, 32_2, 32_3, HOST, RESERVED, DOUBLE1, etc

and

envent_type, permissions, db_process, uhost, msg_id, etc.

 

I have a problem with uhost fileld with SAP device, this field is not visible on QUERY tool or reports

The xml´s fragment is:

 

  content="<@eventtime:*EVNTTIME($MSG,'%W%M%D %H%U%S',date,time)><@:*SYSVAL($MSGID,$ID1)><@action:Logon Failed> <host>||<fld1>||<fld2>||<date> <space>||<time> <space>||<terminal>||<username>||<uhost>||<trans_id>||<node>||<fld3>||<fld4>||<event_type>||<mode>||<fld5>||Logon Failed (Reason =<error>, Type =<fld6&gt:smileywink: <space>||<fld7>||<fld8>||<fld9>||<fld10>||<fld11>||<fld12>" />
  

I think that I need add the column "uhost" on the table Database Audit 

For example:

 

uhost,UserHostName,TRUE,CHAR,128,uhost,CHAR64_9,NULL

 

..but this is not running,  I don´t know what values add for CAHR and CHAR64_9, and if this is ok

 

Thanks a lot!

 

 

Allan Hougham

 

 

 

0 Likes
Share
Reply
RSAAdmin
RSAAdmin Beginner
Beginner
In response to RSAAdmin
‎2008-11-17 08:02 AM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

CHAR64_9 is not a valid variable. 

 

If you are going to be doing this, you MUST use the variables listed in the variables.ini file.

 

For the record, this is not an officially supported procedure, and as a result there is no documentation.  You break it, you own it. :smileywink:

0 Likes
Share
Reply
Powered by Khoros
  • Products
  • Resources
  • Solutions
  • RSA University
  • Support
  • RSA Labs
  • RSA Ready
  • About RSA Link
  • Terms & Conditions
  • Privacy Statement
  • Provide Feedback
© 2020 RSA Security LLC or its affiliates.
All rights reserved.