This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Reports of enVision data from SA?

DeepanshuSood1
Beginner
Beginner

‎2016-11-22 05:42 AM

Hello All,

 

There is an concern from the customer for migration part from enVision to SA.

 

I have an urgent requirement for understanding that how we can access the data which are lying on enVision servers, like now the customer is moving their environment from enVision to Security Analytics.

So as the customer is an compliant , so now there requirement is, that is there any method to get the data of any device type or device ip from there envision server for around 1 year.

 

There requirements are that they can fetch the raw logs also & along with their customized reports & some compliance reports as well.

 

So what I got to know from my experience that fetching the reports on old data (envison) by IPDB extractor service is actually doesn't worked, as it's mentioned on the documentation front.

 

So just wondering that is there any other way from which we can get the data from enVision server from the GUI of Security Analytics server  or from any other way also.

 

Kindly suggest.

 

It's an very urgent & important requirement.

 

Regards,

Deepanshu Sood.

0 Likes
5 REPLIES 5

DavidWaugh1
Employee
Employee

‎2016-11-22 05:47 AM

Hi,

 

The only way to get this data is through the IPDB extractor. Not sure what you mean when you say its doesn't work as I have configured it before and seen it working.

0 Likes

DeepanshuSood1
Beginner
Beginner
In response to DavidWaugh1

‎2016-11-22 09:31 AM

okay, so can we fetch any sort of report from envision by using zConnector?

and also can we fetch the raw logs of any specific device?

 

pls suggest.

 

Regards,

Deepanshu Sood.

0 Likes

DavidWaugh1
Employee
Employee
In response to DeepanshuSood1

‎2016-11-22 09:51 AM

zconnector is for sending events from EnVision to Security Analytics as they are collected. It wont process historical events.

 

You can see more information on the ipdbextractor here:

IPDB Extractor Service Configuration Guide - RSA Security Analytics Documentation 

 

This allows you to report on historic events stored in Envision.

From Rule Types - RSA Security Analytics Documentation  the desscriptions says that you can get the raw event messages. There was a tool produced for 10.4.1 that allowed extraction of raw events, but I am not sure that this tool was carried forward beyond this version.

 

Here is a guide to the IPDB Rule Syntax

IPDB Rule Syntax - RSA Security Analytics Documentation 

0 Likes

DavidWaugh1
Employee
Employee
In response to DavidWaugh1

‎2016-11-22 10:01 AM

To get the raw logs from envision:

 

Open a command prompt on the enVision server (Dsrv, if LogSmart), and navigate to the %_ENVISION%\bin directory.

 

Run the following:

 

lsdata -events syslog -devices 1.1.1.1 -time 20061201 2006120102 > f:\data.txt

 

where 1.1.1.1 is either the device IP address or the device type you want

 

and where 20061201 is the start time, and 2006120102 is December 1st, 2006 at 2AM.

0 Likes

DeepanshuSood1
Beginner
Beginner
In response to DavidWaugh1

‎2016-11-24 12:41 AM

Thanks David for sharing this detail. It so clear to understand.

But I want to know, if suppose customer is already in the middle of de-commissioning their enVision sever with the replacement with Security Analytics.

So can we integrate enVision DAS/NAS with Security Analytics to fetch the raw logs by the above mentioned command.

 

The reason why I am asking is because the customer time windows to fetch the old raw logs is around 1 year to 1.5 yr. Anytime in b/w 1 to 1.5 yrs.

So this means that the customer needs to maintain their enVision server for around 1 year more for their raw logs requirement.

 

So in simple can't we map their DAS/NAS with Security Analytics server to fetch the raw logs.

 

kindly advise. thank you.

 

Regards,

Deepanshu Sood.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.