RSA enVision^® Discussions

You need to run lsmaint to reindex the data.  For example, “lsmaint –rebuild all –devicetype winevent_nic –time 1M end"

For the old data...you rebuild...but the new data you are collecting willl end up in the new table.  Just wanted to be clear because a rebuild is not what "activates" the Content 2.0...it is having the Content 2.0 XML that "activates" it.

So, I have a question...if you don't do the rebuild does all of your data before you do the 2.0 ESU update remain in the old tables?  or is there a rebuild that just happens on a schedule...I ask because I purposely did not do a rebuild on my Oracle data, but now when I try to run EE it shows all of the old data in the new variables.

 

 

I would be interested in this as well... we keep 8 months in online storage and the rest of the data on nearline (aka a large Drobo until we move to a bigger SAN). We just installed the latest ESU and upgraded content to 2.0. The rebuild command was running for 90 hours before my session died and I had to restart. I even edited the command with maxthreads of 100 (since hte default is 4) but that doesn't seem to have made a huge impact. Just 1 devicetype is already running for 18 hours. This is insanely long, data is completely unavailable and unusable, and RSA support doesn't have any advice on how to 1) speed things up, or 2) provide expectations on how long it takes (GB/hr processed, etc.). If I could just rebuild the last month instead of the past 8 months, and let envision automatically process the rest over the next month, then I would be content.

This is good to know.  I just updated the lastest content to 2.0 in our dev environment.   But now after reading this, I don't think it's wise to do our production.   We keep 18 months of data and if it's taken you this long to try to rebuilt just one device, it sounds like I'll never get any of ours rebuilt. 

 

I'd be curious to know what the benefits are of upgrading to content 2.0 over the 1.0?  Is this something I should or need to be doing or is it fine to just continue using the 1.0?

Content 2.0 will be, I believe, required as of the next major release. The variables are much more descriptive and relevant, and it appears they have made a lot of advancements in streamlining the DB.

Unfortunately the migration path is VERY poorly documented and will be extremely painful. Even with the Content Inspector tool your custom reports and alerts are going to take a VERY long time to rebuild on the new tables. Thankfully we don't have a huge amount of them, but I'm basically rebuilding them from scratch by running queries and discovering what the new variables are called. Another negative is that data is basically useless while I wait for these to rebuild, and any reporting is going to be borked until the rebuild is complete, as you can't search events from before and from after the content upgrade until you finish the rebuild. At least new data is (allegedly) getting putting into the proper tables.

Oh, and another fun feature, when you start to rebuild your reports - don't assume the new variables are in any semblance of order. And god forbid it be sortable. Frankly, their UI team needs to be forcibly tossed out the door. Th GUI is barely a step above green-screen and would apply to a company writing an interface in 1992.