2020-04-20 04:23 AM
Hi Team,
We have a below requirement.
How to export ESA Rules from mongo DB by Each ESA Rule Deployment Separately.
2020-04-20 04:34 AM
2020-04-20 06:00 AM
Hi Devaraj,
You need to query correlation-server mongo DB that is located in NW Server. The 2 collections named engineSettingsEntity and moduleSettingsEntity contain all what you need.
Select deployements and all attached rules:
db.getCollection('engineSettingsEntity').find({ displayName: { $ne: "" } },{"displayName":1,"moduleIds":1,"_id":0} );
Select all rules:
db.getCollection('moduleSettingsEntity').find({ displayName: { $ne: "" } },{"displayName":1,"_id":1} );
In my example:
5e970391e4b0cd45a7f6d2c618-5e999e18e4b0f1d1908e199c
5e970391e4b0cd45a7f6d2c618 : deployement ID
5e999e18e4b0f1d1908e199c : Rule ID
[TEST] Windows detection : display name of the rule
Please let me know if you need any further information.
2020-04-20 02:46 PM
Hi Devaraj,
If you don't have Robomongo installed you can run this script from an SSH session on your SA server.
Also since the "rules" and "deployment" information are stored in different Mongo documents you can't export the information you're looking from one single collection.
1) First create the file /root/get_rules_by_deployment.sh
# vi get_rules_by_deployment.sh
2) ADD the following code to the file and save the file (you will need to substitute your deploy_admin password for the default "-p netwitness") in the commands below...
#!/bin/bash
IFS=$'\n'
for i in `echo 'db.latestSyncSnapshot.find().toArray()' | mongo sa -u deploy_admin -p netwitness --authenticationDatabase admin | grep "\"name\"" | awk -F':' '{print $2}' | awk -F'"' '{print $2}'`
do
echo "Deployment Name \"$i\" contains the following rule IDs with Friendly Name"
for j in `echo 'db.latestSyncSnapshot.find({"name" : "'"$i"'"}).toArray()' | mongo sa -u deploy_admin -p netwitness --authenticationDatabase admin | grep "\"ruleId\""`
do
echo $j
for r in `echo $j | awk -F'"' '{print $4}'`
do
# echo $r
echo 'db.rule.find({"_id" : "'"$r"'"}, {"parameters.name" : 0}).toArray()' | mongo sa -u deploy_admin -p netwitness --authenticationDatabase admin | grep "\"name\""
echo 'db.rule.find({"_id" : ObjectId("'"$r"'")}, {"parameters.name" : 0, "statements.name" : 0}).toArray()' | mongo sa -u deploy_admin -p netwitness --authenticationDatabase admin | grep "\"name\""
echo ""
echo ""
done
done
done
exit
3) Save the file
4) Make the file executable
# chmod +x get_rules_by_deployment.sh
5) execute the script
# ./get_rules_by_deployment.sh
Sample output...
[root@saserver ~]# ./get_rules_by_deployment.sh
Deployment Name "ESA" contains the following rule IDs with Friendly Name
"ruleId" : "5e71108e45cedec378cfc624",
"name" : "securesoft",
Deployment Name "ESA test" contains the following rule IDs with Friendly Name
"ruleId" : "esa000111",
"name" : "Logins across Multiple Servers",
"ruleId" : "esa000018",
"name" : "Failed Logins Followed By Successful Login Password Change",