RSA enVision^® Discussions

It would be great if you could provide here some of the steps you took to get the reporting working from the IPDB in Security Analytics.  That is a key value of this community.  I can then take your experiences and make sure they get to the RSA documentation team.

Hi Matthew, the most headache part is the NAS sharing step, I tried whole afternoon and figured out need to share like below:

Share name: storage0 - Path: \vol0\nic\lsnode\data\LSIPDB-LC1

Share name: storage1 - Path: \vol1\nic\lsnode\data\LSIPDB-LC2

This step is missing from the dcoument, can we only share \vol0 or \vol1, please confirm.

After i configured the NAS, then i figured out why need put the storage mapping like below which specify in the sample:

\\1.1.1.1\vol1\nic\lsnode\LSIPDB-LC1~storage1,\\1.1.1.1\vol2\nic\lsnode\LSIPDB-LC1~storage2

Just additional, does IPDB extractor support to create report of multiple device types? As for now, i'm only able to create report of one device type only like rhlinux.

Thank you.

Hi Matthew, can you help? I had an issue here, i was not able to finish the IPDB configuraiton using storage.mapping.

1. customer has 3 NAS vols used for envision: (vol0,vol1,vol2)

2. if I configured storage.mapping, i cannot get any event

3. if i directly map the vol0, i'm able to get the event

How should i specify the storage.mapping string? i have a case open but no reply yet.

And how to do debug? I used tcpdump but seems the ipdb extractor didn't access NAS.

Thank you.

Hi,

Looks like either the value of storage location is wrong or the mount points are wrong.

1) I suggest you to check this :

Mount IPDB in such a way that you have a path like this. If its not there, its for sure that you have wrong mounts and Storage locations configurations.

/var/netwitness/ipdbextractor/ipdb/<node name>/<storagelocation>/<device type>/<device>/<year>/<month> (in case you have multiple storage locations)

Or

/var/netwitness/ipdbextractor/ipdb/<node name>/<device type>/<device>/<year>/<month>   (single storage location)

2) I need the below info:

• ‘Mapping of Storage Location’ config value
• Mount points
• Contents of /var/netwitness/ipdbextractor/ipdb ?

Hi Nehar,

1) I have below format, and i'm able to browser the event files.

/var/netwitness/ipdbextractor/ipdb/<node name>/<storagelocation>/<device type>/<device>/<year>/<month> (in case you have multiple storage locations)

//10.203.2.101/vol0 /var/netwitness/ipdbextractor/ipdb/ENT-ES/storage0 cifs auto,nouser,noexec,ro,prefixpath=/lsnode/data/ENT-ES,username=ipdbuser,password=password123 0 0

//10.203.2.101/vol1 /var/netwitness/ipdbextractor/ipdb/ENT-ES/storage1 cifs auto,nouser,noexec,ro,prefixpath=/lsnode/data/ENT-ES,username=ipdbuser,password=password123 0 0

//10.203.2.101/vol2 /var/netwitness/ipdbextractor/ipdb/ENT-ES/storage2 cifs auto,nouser,noexec,ro,prefixpath=/lsnode/data/ENT-ES,username=ipdbuser,password=password123 0 0

//%envision_ip%/csd /var/netwitness/ipdbextractor/devicelocation cifs auto,nouser,noexec,ro,username=ipdbuser,password=password123 0 0

2)  I tried below mapping

\\10.203.2.101\vol0\lsnode\data\ENT-ES~storage0,\\10.203.2.101\vol1\lsnode\data\ENT-ES~storage1,\\10.203.2.101\vol2\lsnode\data\ENT-ES~storage2

3)/var/netwitness/ipdbextractor/ipdb/ipdb/ENT-ES/storage0

/var/netwitness/ipdbextractor/ipdb/ipdb/ENT-ES/storage1

/var/netwitness/ipdbextractor/ipdb/ipdb/ENT-ES/storage2

Same configuration worked in another customer environment.

That's why strange enough, how to debug? I didn't see any network traffic to the NAS when doing rule testing.

If I mount only \\10.203.2.101\vol0\lsnode\data\ENT-ES to /var/netwitness/ipdbextractor/ipdb/ipdb/ENT-ES, then i tested the IPDB rule, it's working fine, i'm able to get events.

I could see something is wrong here.

The path that gets created after you mount looks wrong. It should be some thing like this:

/var/netwitness/ipdbextractor/ipdb/<node name>/<storagelocation>/<device type>/<device>/<year>/<month>

i.e

/var/netwitness/ipdbextractor/ipdb/ENT-ES/storage0/<device type>/<device>/<year>/<month> (in your case)

But  I see that you have an extra "ipdb" directory:

/var/netwitness/ipdbextractor/ipdb/ipdb/ENT-ES/storage0

/var/netwitness/ipdbextractor/ipdb/ipdb/ENT-ES/storage1

/var/netwitness/ipdbextractor/ipdb/ipdb/ENT-ES/storage2

Your mount points look correct but since there is an extra "ipdb" directory getting created, I would suggest you to change the mounts in such a way that u have paths like this:

/var/netwitness/ipdbextractor/ipdb/ENT-ES/storage0

/var/netwitness/ipdbextractor/ipdb/ENT-ES/storage1

/var/netwitness/ipdbextractor/ipdb/ENT-ES/storage2

If you have manually created any extrac "ipdb" directly, please delete the same.

After resolving this, try running a report. I think it should work.

Do let me know the result.

Sorry, typo. The actual one is below, i have the screenshot, if you ok,i can send to you for renew.

/var/netwitness/ipdbextractor/ipdb/ENT-ES/storage0

/var/netwitness/ipdbextractor/ipdb/ENT-ES/storage1

/var/netwitness/ipdbextractor/ipdb/ENT-ES/storage2

I opened a support case but no reply so far.  So no choice, i only configured one storage only.

Ok. Then the mounting is correct. I assume that after storage0/storage1/storage2 u have a path like <device type>/<device>/<year>/<month>and have ipdb .dat files there.

You should also check if the storage mappings are correct. For that do the following:

Login to your envision UI and go to :

System Configurations->Directories->Manage Storage Locations

This will give the directory paths to which you should map storage0, storage1 and storage2.

Check if the mapping you configured are correct.

If not, correct them and restart ipdb extractor service.

Execute a report and check.