This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2009-10-13 01:38 PM

Looking for devices that have not collected data in 365 days

We use the logging system to collect log data for domain controllers.  When a DC is no longer in server I change the status to Active/Disabled so the data is still in the system but it is no longer collecting data.  What I would like to do is use lsmaint or some other tool to create a script to email me when it has been 365 days since a device last collected data.  That way I can remove the device from the system.  Ultimately I would like to automate the the whole process so that I have a script which queries AD for DCs and then compares that to wintool output to bulk add new DCs and then use the above requested process to somehow remove the DCs from the system after 365 days of no data.

 

Any suggestions would be greatly appreciated.

0 Likes
Reply
8 Replies
RSAAdmin
Beginner
Beginner
‎2009-10-14 12:05 PM

I wrote a powershell script that will identify the last time envision ever collected events from a given device.  It's posted here on the forum somehwere.  It basically walks the tmp\nuggets directory and consults the last modified timestamp of the nuggets folders.  You might be able to leverage some or all of that to detect DC's in excess of 365 days with the cmd-let for comparing dates.

 

I also wrote UDS for the Wintool.exe -show list function.  Although it's not posted here on the forum, I'd make it available if people were interested.  I use the crap out of that for all sorts of things.  Although I don't think it would be necessary for what you're desiring to do, I throw this out there anyway as an option.

 

I've also written a plethora of batch files that query AD for either group or OU membership and populate those results into watchlists.  It would be relatively simple to convert one of them to simply bulk add the systems to envision as a monitored windows event source, so long as you've already set the domain creds up at least once before.

 

I'm spread a bit thin these days, but let me know if any of the above might be helpful and I can try to dig them up.

 

ryan 

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2009-12-03 05:03 PM

Ryan,Thanks for your post.  I am trying to do something very similar for PCI and identify a host that has not sent any data to the server for a 7 day time frame. I looked through all your posts, and unfortunately I could not find the script you were talking about.  Could I ask you to point me in the right direction as where you might think the script might be?  It would be greatly appreciated! 

 

Macho Gracias

Keith

 

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2009-12-04 09:58 AM

I think this is the script he is talking about

 

/message/666666#666666

 

 

thought of saving some time of Ryan

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-10-05 02:31 PM

I would be interesteed in any scripts or files you have pertaining to exporting AD criteria into watchlists or useful scripts in general still learinng VB myself..
0 Likes
Reply
PatricioDemarch
Beginner
Beginner
In response to RSAAdmin
‎2011-10-26 09:01 AM

You can use the command on D-SRV:

 

c:\Documents ans Settings\Administrator>lsmaint -l

 

List all devices including the date of last messages received. You can parse this output.

 

Patricio

 

 

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to PatricioDemarch
‎2011-12-12 03:01 PM

Also Envision supports this kind of alerting as well.

 

You can enable message ID 400029 as per the 4.0 SP3 release notes (I don't know if they posted this anywhere else).  I don't see this doc on their site anymore so if you need to know how to configure it just let me know.

 

This message will be generated after X (configurable) amount of time has passed for your windows domain controller device group.  You can then setup an alert on this message ID and filter the Local Address field (see picture attached) against your device group. 

 

I supress duplicates and then basically get a message once every day when a domain controller has stopped talking to Envision.

Preview file
25 KB
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-12-12 03:02 PM

Oh here is the doc on how to generate message 400029. It is not enabled by default. I'm not sure if they put this in any of the other docs so I am posting it just in case.
Preview file
163 KB
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2013-06-26 01:07 PM

Hi All,

 

Can any one help me understand the contents of device down position file (devicedown.pos) contents are like below --

 

winevent_nic  1.2.3.4    1372247182

rsadlp            2.3.5.6    1372247192

 

Regards,

Saurabh

 

 


0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.