Rebuild taxonomy after storing event into IPDP?
Does anyone know, if it is somehow possible to scan database for events, which used to be "udefined" and try to parse them once again. It is useful for IDS/IPS events, fired by newest signatures, which were not yet included in xml files and ContentUpdate came after events occour.
If you want to actually dump all the undefined logs for a particular event source, use this command:
lsdata -events syslog -time <starttime> <endtime> -devices "x.x.x.x(undefined)" >> logs.unx
Where x.x.x.x is the IP Address of the event source in question.
You can then inject these later, but beware: this process does not actually remove the undefined logs from the IPDB, so you will end up with duplicate info (although the original ones are still set as undefined).
There is really only one reason an event is classified as undefined:
The collected event has no matching HEADER/MESSAGE tag combination in the associated device XML.
To find the more specific reason, you would have to put on your UDS hat and dig into the event source's XML file to figure out the specific reason:
1) Does the format fit one of the HEADER tags?
2) Does the MESSAGE tag exist (including the correct id2 value)?
3) If the answer to #2 is yes, is the content parameter defined correctly?
Then I don't understand what you're asking for here.
lsmaint -rebuild is used to take the data from the .dat files in the IPDB and recreate the summaries and indices for the IPDB, but it will not update any of the raw data.
There is no real way to reassign previously collected logs from undefined to defined - the IPDB is a write-once-read-many database, so you can't edit what has already been collected and placed in there.
I don't want to change data. I just want to deal with sitation we had in our customer site. For some time logs comming from PIX firewall were not interpreted correctly (90% of them were undefined), eventhough they were previously interpreted correctly with out any problems.
We did upgrade and problem disappeared. But their remain huge number of events which we are unable to parse. Putting them into db onse again is not practical for two reasons:
- PIX's produce 4000-8000 EPS!
Actually, now that you have me thinking about it, go ahead and try using lsmaint -rebuild for the time range in question.
Theoretically, the message indicies are not part of the .dat file where the raw data is stored, so those might be able to be updated...
The worst that could happen is that the events in question simply remain in their "undefined" state.