RSA enVision^® Discussions

RSAAdmin · ‎2010-11-16

Hello,

I have a client with a situation in which several event sources can only be collected via an intermediary syslog server. In other words, for a subset of event sources, the syslog server sits between enVision and the event sources. It has been explained to me that the architecture cannot change. enVision is collecting the event source logs from the intermediary syslog server, of which enVision is successfully able to distinguish the individual event sources after capturing the logs from the syslog server. However, there are a mixture of event sources within the bunch which can be disregarded. It has also been explained to me that collecting the logs from the syslog server is an all or nothing proposition. Within the collected bunch, there is a multitude of logs which although enVision is able to distinguish as unique event sources, the event sources are not supported devices, and thus show up as “devicetype = unknown”. Since the “devicetype = unknown” devices show up in Manage Monitored Devices, licenses are being chewed up. Thus, one of the primary motivations for purging the “devicetype = unknown” devices on a frequent basis is to ensure licenses are not unnecessarily locked up.

Okay, so now for the question:
I am seeking an automated method by which I can automatically purge all “devicetype = unknown” on a daily basis? The method does not necessarily matter, but according to the client’s requirements, the method must be fully automated. My first thought process was to create a batch file with the lsmaint command and then create a scheduled task run the batch file on a daily basis. However, in my trial attempts, when I execute the command “lsmaint –delete –device <IP_Address> -time start end”, the “\\192.168.1.101\vol1\nic\lsnode\<site_name>\data\<local_collector_name>\unknown\<device_ip>” folder indeed deletes, but the device is still present in Manage Monitored Devices, and thus is still locking up a license. Therefore, if I were to create a batch file with the command “lsmaint –delete –devicetype unknown –time start end” and schedule it to run on a daily basis, the folders and data would delete, but the unknown devices would still appear in Manage Monitored Devices and still be locking up a license.

I am seeking alternative suggestions/resolutions to this challenge.

Thank you.

RSAAdmin · ‎2010-11-17

Expanding on this a bit, I'd like to better understand how devices are removed from the license count and how sites manage this issue. As devices are decommissioned, they are eventually purged from our database once our retention period has been satisfied. How do site handle the maintenance of their device list? Is there a way to easily (automatically would be even better, per the OPs question) identify devices which have no data associated with them and then purge them? Is deletion from Managed Devices the critical step to free up device count license slots?

Thanks for the info.

Expanding on this a bit, I'd like to better understand how devices are removed from the license count and how sites manage this issue. As devices are decommissioned, they are eventually purged from our database once our retention period has been satisfied. How do site handle the maintenance of their device list? Is there a way to easily (automatically would be even better, per the OPs question) identify devices which have no data associated with them and then purge them? Is deletion from Managed Devices the critical step to free up device count license slots?

Thanks for the info.

David

RSA enVision® Discussions

Using lsmaint to delete

RSA enVision^® Discussions