RSA Admin

Using lsmaint to delete

Discussion created by RSA Admin Employee on Nov 16, 2010
Latest reply on Nov 17, 2010 by RSA Admin

Hello,

 

I have a client with a situation in which several event sources can only be collected via an intermediary syslog server. In other words, for a subset of event sources, the syslog server sits between enVision and the event sources. It has been explained to me that the architecture cannot change. enVision is collecting the event source logs from the intermediary syslog server, of which enVision is successfully able to distinguish the individual event sources after capturing the logs from the syslog server. However, there are a mixture of event sources within the bunch which can be disregarded. It has also been explained to me that collecting the logs from the syslog server is an all or nothing proposition. Within the collected bunch, there is a multitude of logs which although enVision is able to distinguish as unique event sources, the event sources are not supported devices, and thus show up as “devicetype = unknown”. Since the “devicetype = unknown” devices show up in Manage Monitored Devices, licenses are being chewed up. Thus, one of the primary motivations for purging the “devicetype = unknown” devices on a frequent basis is to ensure licenses are not unnecessarily locked up.

 

Okay, so now for the question:
I am seeking an automated method by which I can automatically purge all “devicetype = unknown” on a daily basis? The method does not necessarily matter, but according to the client’s requirements, the method must be fully automated. My first thought process was to create a batch file with the lsmaint command and then create a scheduled task run the batch file on a daily basis. However, in my trial attempts, when I execute the command “lsmaint –delete –device <IP_Address> -time start end”, the “\\192.168.1.101\vol1\nic\lsnode\<site_name>\data\<local_collector_name>\unknown\<device_ip>” folder indeed deletes, but the device is still present in Manage Monitored Devices, and thus is still locking up a license. Therefore, if I were to create a batch file with the command “lsmaint –delete –devicetype unknown –time start end” and schedule it to run on a daily basis, the folders and data would delete, but the unknown devices would still appear in Manage Monitored Devices and still be locking up a license.

 

I am seeking alternative suggestions/resolutions to this challenge.

 

Thank you.

Outcomes