Video Screencast Help

How to add new criteria field available in Event Query Wizard?

Created: 07 Aug 2007 • Updated: 14 Aug 2010 | 5 comments
antilles's picture

Hello,

Is it possible to expand set of criteria used to build custom event query by Query Wizard?
Currently not all fields are available, for example:
- Firewall Source Interface Name (event from Cisco PIX collector)
- Firewall Destination Interface Name (event from Cisco PIX collector)
- Home Domain (event from Cisco PIX collector)
- Event Count (event from Juniper NetScreen collector)

This issue is important when custom query should be based on custom or product-specific event fields e.g derived from a custom event collector.

Maybe anyone tried to do this?

Regards,
Antilles

Comments 5 CommentsJump to latest comment

EPSrat's picture
Hi,

The drop-down list of filtering criterias is obviously a summary of all fields used in any of the available queries in SSIM. To add more fields, you can export one of the existing queries to .qml, edited the qml file, and exchange the existing fields with the fields you wanted to see in the list.

Here are the setps for your case:
  1. add home_domain, destination_interface_name, source_interface_name and event_ct to the indexed_event_fields.txt. Restart sesevents: service sesevents restart.
  2. login to the SSIM GUI. Export one of the queries to a qml file.
  3. edit the file. Find the area where field name and field id is defined. Exchange name and id so it looks like <Argument>
                       <Field byname="true" byuser="true"
                           id="destination_interface_name"
                           name="Firewall Destination Interface Name" type="0"/>
    </Argument>
    Do this for all your fields added to the indexed_event_fields.txt.
  4. Import the qml file to "My Queries"

Your requested fields
- Firewall Source Interface Name
- Firewall Destination Interface Name
- Home Domain
- Event Count
are available now in the drop down list.

Regards
EPSrat


  1. antilles wrote:
    Hello,

    Is it possible to expand set of criteria used to build custom event query by Query Wizard?
    Currently not all fields are available, for example:
    - Firewall Source Interface Name (event from Cisco PIX collector)
    - Firewall Destination Interface Name (event from Cisco PIX collector)
    - Home Domain (event from Cisco PIX collector)
    - Event Count (event from Juniper NetScreen collector)

    This issue is important when custom query should be based on custom or product-specific event fields e.g derived from a custom event collector.

    Maybe anyone tried to do this?

    Regards,
    Antilles



    Import the attached queries into "My Queries"


Your requested fields
- Firewall Source Interface Name
- Firewall Destination Interface Name
- Home Domain
- Event Count
are available now in the drop down list.


antilles wrote:
Hello,

Is it possible to expand set of criteria used to build custom event query by Query Wizard?
Currently not all fields are available, for example:
- Firewall Source Interface Name (event from Cisco PIX collector)
- Firewall Destination Interface Name (event from Cisco PIX collector)
- Home Domain (event from Cisco PIX collector)
- Event Count (event from Juniper NetScreen collector)

This issue is important when custom query should be based on custom or product-specific event fields e.g derived from a custom event collector.

Maybe anyone tried to do this?

Regards,
Antilles



antilles's picture

Thank you very much for answer, it's working fine.
And what about standalone Event Viewer? It is possible to get similar functionality in that case?

Regards,
Antilles

antilles's picture

I ran more tests and I discovered that your solution works only for fields that are normalized. For query/report purposes I want to use some fields that aren't normalized i.e. derived from custom collector. How to do this?

Regards,
Antilles

AL76's picture

hello, I have added logged_dt and create_dt, however even if I use a > sign, it doesn't match the date.

Idea?

Alan Lee

Sr Manager, Regional Product Management, APJ

Enterprise Security Group, Symantec

Abhishek Sinha's picture

Hi,

Thanks EPSrat, your wonderful comment really worked for me. 
Although editing indexed_event_fields.txt file at /eventarchieve, restarting sesaevents service and then editing .qml file works fine.

But when I use Query Builder Wizard to create : Event Query -> Event Count By Field,  this also works. But I face a problem when I click on the BAR to see the details. No event details are dispalyed. This is only happening with those queries where I have used the imported .qml file.

Other queries are throwing up the details  successfully when clicking on the BAR.

Please suggest where I am wrong.

Thanks in advance.

Regards
Abhishek Sinha