Event Explorer 4.0.3 was released today. Any questions? Post here!
It is explained in the release notes for SP4 Patch 2 which I think was released today or yesterday.
From reading the patch notes, EE connections use NICP to connect to the NIC server service which could be on a DSRV or on the single appliance site. On a multi-appliance site the separate appliances also use NICP to connect to the NIC Server service on the DSRV. NICP0 would accept non-authenticated connections and most times when a critical service allows itself to be access without authentication there is an inherent risk.
Again, this is just from what I read in the document.
After installing Event Explorer 4.0.3, I can't run it, Event Explorer receives next message:
"An error has occured. See the log file
I'm attaching this ".log" file.
After that I've tested 4.0.2, 4.0.1 version but the result is the same.
OS - Windows 7.
Does anybody had the same problem?
When you launch the Event Explorer desktop icon, are you running it as administrator?
Yes, I'm runnig it as administrator.
I just installed (upgrading from 4.0.2 to 4.0.3) on a Windows 7 Desktop and am not having an issue with running it. Your best option would probably be to open up a support case.
When you get a startup error where you are pointed to the .log file, it may be an issue with the application settings from a previous session. Event Explorer stores its user preferences and application settings in the Windows 7 directory C:\Users\<user>\EventExplorer\.metadata. Occasionally, after an upgrade, the application settings can fail to load properly, which I think may be happening in your instance. What may help is to rename the C:\Users\<user>\EventExplorer\.metadata directory to ".metadata old" and restart Event Explorer. The detriment to resetting the .metadata directory is that when you return to Event Explorer, you will need to re-register the enVision servers that you were accessing, update your user preferences if you made changes and layout your trace views again. Your previous event trace and trace view configurations will not be affected by renaming the .metadata directory.
davidski, Customer Support has some additional details on this that they'd be happy to share if you want to give them a call.
On the NICP issue, support has very little additional information. I've been working with them for several days and they still can't answer the fundamental question of what the exposure is with the old/current version of the NIC protocol. If anyone has an inside track on what an attacker could do with the old version of the protocol (specifically, is the vuln limited to data exposure or could data be modified or code even run on the enVision cluster), that would be very helpful.
Has anyone used the new external DB and linked view features yet? Any discussion on the usefulness of these features? I was really hoping to get some insight into these features, but all the documentation is tied up in the installer (currently going through my application deployment process) and the videos posted to date have been incredibly basic and unhelpful.
I'm a bit dubious about the external DB feature. It sounds like traces can't be moved between database sources so a query in EE that later needs enrichment can't be moved over to a MS-SQL database. I'm especially interested in how the enrichment process works. Is this something that EE helps with or is EE just dumping the data in the external DB and it's up to the customer to analyze, enrich, and report out on all on their own?
On the view linking, how easy is this to use? I've tended to write EE traces for a single device type in the past and don't see a lot of immediate value in linked views as they appear to be based on the data already in the trace and can't do subqueries to get more data that's identified in the trace. Ideally, I'd like to run, for example, a Windows trace of logins and drill down into network, database, or other activity without having to pull all of that data into the initial trace.
Some quick thoughts for you (full disclosure: I'm the PM for Event Explorer):
I appreciate the response. Looking over your comments I get the impression, as I often do these days, that RSA either does not understand its userbase or that I'm attempting to use enVision in a way that is just not appropriate. My team and I only use the advanced tables and charts when we have very particular needs defined. Why? Because trying to work with any sizable data set with EE is so painful as to be impossible.
As an example, take a look at this PDF recently posted on the Citrix blog (pdf). This shows a dashboard that was quickly created for the Citrix NetScaler load balancer platform. We have some of these devices and I attempted to recreate this open source based toolset with my 6-figure enVision solution. The first problem I hit is that 24 hours of data (as displayed by splunk here) is a huge amount of data for me. Even increasing to 300 MB of storage only grabs me a little over three hours of data. Once I pull that down, trying to execute any sort of query in EE is unusably slow (several minutes for a standard chart change to execute). Once a query executes, if I discover a standard chart doesn't work, I have to create a new advanced chart view from scratch.
Linked views is an interesting sounding feature, but without the abilty to query large data sets without pulling gigabytes of traffic down to a local EE client, I don't see how the potential can be realized. If being able to scan the enVision IPDB in realtime was possible, then this drill down feature would be a knock out. As it is, it doesn't sound like it could possibly scale. My team needs to query and analyze large amounts of data for trend analysis, not generate 3D charts.
Again, I'm completely open to the idea that my use cases for EE/enVision are completely wrong. I'm just stumped with how to explain the lack of performance and capabilities when visitors come and expect functionality present on either much cheaper (splunk) or much more expensive (ArcSight) solutions and I have no solution.
To the user community, I'd love to hear real world examples of how you're using the new 4.0.3 feature set. It still sounds very interesting. I just don't know how any reasonably sized org is generating value out of it at the moment.
Thanks a lot for your answer. You instructions were really helpfull!
I've renamed the C:\Users\<user>\EventExplorer\.metadata directory to ".metadata old" , restart Event Explorer and now it's working like a charm!
The performance issues you refer to are a large part of why we introduced the external database support. Pre-4.0.3, you couldn't pull a large amount of data (over a million rows) without performance issues - the in-memory database couldn't handle it. By storing an event trace in an external database (SQL Server or Greenplum), you can pull a much larger data set and get better performance. This then allows for the broader traces that you were mentioning.
The in-memory database is good for those more specific event traces that you have been doing all along. For a broader event trace, an external database is the way to go. There's a little about this in this week's blog on best practices: [[page no longer exists]]
I am new to EE and am using it for a very large search. I need to find a particular Username that is interacting with certain IP Addresses. These IP Addreses are not monitored devices so I am currently doing a blamket search on the whole network for source and destination.
Is there a better way of doing this as it is very time consuming.
A few thoughts:
1. Can you limit the time frame for the event trace at all? If you are concerned about a particular period of time, try limiting the trace to just that time period.
2. While the IP addresses you are looking for aren't monitored devices, do you know which devices the user in question might be using to connect to those IPs? If so, you could limit the trace to a particular set of device types or device groups.
3. Are you adding filters to the Event Trace itself? Try filtering where the source IP or destination IP is the address in question, or filter by username.
Let me know how this works for you.
Retrieving data ...