When you get a startup error where you are pointed to the .log file, it may be an issue with the application settings from a previous session. Event Explorer stores its user preferences and application settings in the Windows 7 directory C:\Users\<user>\EventExplorer\.metadata. Occasionally, after an upgrade, the application settings can fail to load properly, which I think may be happening in your instance. What may help is to rename the C:\Users\<user>\EventExplorer\.metadata directory to ".metadata old" and restart Event Explorer. The detriment to resetting the .metadata directory is that when you return to Event Explorer, you will need to re-register the enVision servers that you were accessing, update your user preferences if you made changes and layout your trace views again. Your previous event trace and trace view configurations will not be affected by renaming the .metadata directory.
Has anyone used the new external DB and linked view features yet? Any discussion on the usefulness of these features? I was really hoping to get some insight into these features, but all the documentation is tied up in the installer (currently going through my application deployment process) and the videos posted to date have been incredibly basic and unhelpful.
I'm a bit dubious about the external DB feature. It sounds like traces can't be moved between database sources so a query in EE that later needs enrichment can't be moved over to a MS-SQL database. I'm especially interested in how the enrichment process works. Is this something that EE helps with or is EE just dumping the data in the external DB and it's up to the customer to analyze, enrich, and report out on all on their own?
On the view linking, how easy is this to use? I've tended to write EE traces for a single device type in the past and don't see a lot of immediate value in linked views as they appear to be based on the data already in the trace and can't do subqueries to get more data that's identified in the trace. Ideally, I'd like to run, for example, a Windows trace of logins and drill down into network, database, or other activity without having to pull all of that data into the initial trace.
On the NICP issue, support has very little additional information. I've been working with them for several days and they still can't answer the fundamental question of what the exposure is with the old/current version of the NIC protocol. If anyone has an inside track on what an attacker could do with the old version of the protocol (specifically, is the vuln limited to data exposure or could data be modified or code even run on the enVision cluster), that would be very helpful.
Some quick thoughts for you (full disclosure: I'm the PM for Event Explorer):
- You are correct that once you have created an Event Trace in one database (be it external or the in memory one), you cannot move it to another database. I suppose you could always create a new trace that's exactly the same in a different database.
- Where EE is really helpful on the enrichments is with advanced tables and charts. If EE has some enVision data in an external DB and you have added other data to that DB (such as geo-location or active directory), you can create an advanced chart that pulls it together. I'm working on getting samples of this that we can post to the community.
- The process of linking views is pretty easy (just clicking the little icon at the top of each view) - are you asking what types of views to link? When I've demo'ed this, I've usually shown views with activity broken down by Device Class, Users, Message IDs and Event Categories and linked those. If your trace view is specific to one device class, you wouldn't really need a breakdown of activity by device class, but perhaps activity by IP address? Or maybe a chart breaking down the activity by time periods?
I appreciate the response. Looking over your comments I get the impression, as I often do these days, that RSA either does not understand its userbase or that I'm attempting to use enVision in a way that is just not appropriate. My team and I only use the advanced tables and charts when we have very particular needs defined. Why? Because trying to work with any sizable data set with EE is so painful as to be impossible.
As an example, take a look at this PDF recently posted on the Citrix blog (pdf). This shows a dashboard that was quickly created for the Citrix NetScaler load balancer platform. We have some of these devices and I attempted to recreate this open source based toolset with my 6-figure enVision solution. The first problem I hit is that 24 hours of data (as displayed by splunk here) is a huge amount of data for me. Even increasing to 300 MB of storage only grabs me a little over three hours of data. Once I pull that down, trying to execute any sort of query in EE is unusably slow (several minutes for a standard chart change to execute). Once a query executes, if I discover a standard chart doesn't work, I have to create a new advanced chart view from scratch.
Linked views is an interesting sounding feature, but without the abilty to query large data sets without pulling gigabytes of traffic down to a local EE client, I don't see how the potential can be realized. If being able to scan the enVision IPDB in realtime was possible, then this drill down feature would be a knock out. As it is, it doesn't sound like it could possibly scale. My team needs to query and analyze large amounts of data for trend analysis, not generate 3D charts.
Again, I'm completely open to the idea that my use cases for EE/enVision are completely wrong. I'm just stumped with how to explain the lack of performance and capabilities when visitors come and expect functionality present on either much cheaper (splunk) or much more expensive (ArcSight) solutions and I have no solution.
To the user community, I'd love to hear real world examples of how you're using the new 4.0.3 feature set. It still sounds very interesting. I just don't know how any reasonably sized org is generating value out of it at the moment.
Thanks a lot for your answer. You instructions were really helpfull!
I've renamed the C:\Users\<user>\EventExplorer\.metadata directory to ".metadata old" , restart Event Explorer and now it's working like a charm!
The performance issues you refer to are a large part of why we introduced the external database support. Pre-4.0.3, you couldn't pull a large amount of data (over a million rows) without performance issues - the in-memory database couldn't handle it. By storing an event trace in an external database (SQL Server or Greenplum), you can pull a much larger data set and get better performance. This then allows for the broader traces that you were mentioning.
The in-memory database is good for those more specific event traces that you have been doing all along. For a broader event trace, an external database is the way to go. There's a little about this in this week's blog on best practices: [[page no longer exists]]
I am new to EE and am using it for a very large search. I need to find a particular Username that is interacting with certain IP Addresses. These IP Addreses are not monitored devices so I am currently doing a blamket search on the whole network for source and destination.
Is there a better way of doing this as it is very time consuming.
A few thoughts:
1. Can you limit the time frame for the event trace at all? If you are concerned about a particular period of time, try limiting the trace to just that time period.
2. While the IP addresses you are looking for aren't monitored devices, do you know which devices the user in question might be using to connect to those IPs? If so, you could limit the trace to a particular set of device types or device groups.
3. Are you adding filters to the Event Trace itself? Try filtering where the source IP or destination IP is the address in question, or filter by username.
Let me know how this works for you.