Hi, Tomas.

This is not supported. With Collector Studio you cannot import a "built" collector.

What changes do you want to do to collector?

Hi,
here you are fragment from my Checkpoint collector from checkpoint.log DEBUG mode:
---
DEBUG    2011-01-17 21:05:41,465    Collectors.3120.wGroup.[workinggroup0]    workinggroup0    WorkingGroup "workinggroup0" has new event: "time 1295294740000 action decrypt orig 192.168.1.2 i/f_dir inbound i/f_name External has_accounting 0 product VPN-1 & FireWall-1 __policy_id_tag product=VPN-1 & FireWall-1[db_tag={978713D0-2217-11E0-A474-000000006D6D};mgmt=heat;date=1295254554;policy_name=Standard3] rule 27 rule_uid {1291C0DD-115E-4F44-A15F-D194D5FC9316} SmartDefense profile Default_Protection service_id domain-udp src 172.19.1.200 s_port 51270 dst 172.20.104.5 service 53 proto udp scheme: IKE methods: ESP: 3DES + SHA1 peer gateway 172.19.1.200 community RemoteAccess vpn_user CN=Netolicky Jiri,OU=users,O=heat.korado.cz.z225h3 fw_subproduct VPN-1 vpn_feature_name VPN " (service map: <eventmap><reporting_sensor>Sensor 0</reporting_sensor><TimeOffset></TimeOffset></eventmap>)
DEBUG    2011-01-17 21:05:41,465    Collectors.3120.wGroup.[workinggroup0]    workinggroup0    WorkingGroup workinggroup0 translated message --{rule-uid={1291C0DD-115E-4F44-A15F-D194D5FC9316}, tmp_event=time 1295294740000 action decrypt orig 192.168.1.2 i/f_dir inbound i/f_name External has_accounting 0 product VPN-1 & FireWall-1 __policy_id_tag product=VPN-1 & FireWall-1[db_tag={978713D0-2217-11E0-A474-000000006D6D};mgmt=heat;date=1295254554;policy_name=Standard3] rule 27 rule_uid {1291C0DD-115E-4F44-A15F-D194D5FC9316} SmartDefense profile Default_Protection service_id domain-udp src 172.19.1.200 s_port 51270 dst 172.20.104.5 service 53 proto udp scheme: IKE methods: ESP: 3DES + SHA1 peer gateway 172.19.1.200 community RemoteAccess vpn_user CN=Netolicky Jiri,OU=users,O=heat.korado.cz.z225h3 fw_subproduct VPN-1 vpn_feature_name VPN, destination_ip=172.20.104.5, TimeOffset=null, event_detail_id=517200, event_desc=orig 192.168.1.2 i/f_dir inbound i/f_name External has_accounting 0 product VPN-1 & FireWall-1 __policy_id_tag product=VPN-1 & FireWall-1[db_tag={978713D0-2217-11E0-A474-000000006D6D};mgmt=heat;date=1295254554;policy_name=Standard3] rule 27 rule_uid {1291C0DD-115E-4F44-A15F-D194D5FC9316} SmartDefense profile Default_Protection service_id domain-udp src 172.19.1.200 s_port 51270 dst 172.20.104.5 service 53 proto udp scheme: IKE methods: ESP: 3DES + SHA1 peer gateway 172.19.1.200 community RemoteAccess vpn_user CN=Netolicky Jiri,OU=users,O=heat.korado.cz.z225h3 fw_subproduct VPN-1 vpn_feature_name VPN, event_id=742004, source_port=51270, source_interface_name=External, vpn_type_id=747100, EventClassName=symc_vpn_conn_stats, logging_device_name=192.168.1.2, network_direct_id=inbound, option2=VPN, user_name=CN=Netolicky, option3=Standard3, source_ip=172.19.1.200, event_dt=1295294740000, destination_port=53, nw_protocol=udp, raw_event=time 1295294740000 action decrypt orig 192.168.1.2 i/f_dir inbound i/f_name External has_accounting 0 product VPN-1 & FireWall-1 __policy_id_tag product=VPN-1 & FireWall-1[db_tag={978713D0-2217-11E0-A474-000000006D6D};mgmt=heat;date=1295254554;policy_name=Standard3] rule 27 rule_uid {1291C0DD-115E-4F44-A15F-D194D5FC9316} SmartDefense profile Default_Protection service_id domain-udp src 172.19.1.200 s_port 51270 dst 172.20.104.5 service 53 proto udp scheme: IKE methods: ESP: 3DES + SHA1 peer gateway 172.19.1.200 community RemoteAccess vpn_user CN=Netolicky Jiri,OU=users,O=heat.korado.cz.z225h3 fw_subproduct VPN-1 vpn_feature_name VPN , rule=27, reporting_sensor=Sensor 0, info4=CheckPointDecryptSuccess}
DEBUG    2011-01-17 21:05:41,465    Collectors.3120.wGroup.[workinggroup0].SensorThread    Thread-19    Sensor thread [Sensor 0] got 13 new events.
---

I would to see whole CN (there is CN "Netolicky Jiri") in the some separate item (column) in the SSIM events.
At the present time, for example in the "User Name" item, there is only "Netolicky". CN is "cut" immediately after first interspace (interspace between "Netolicky" and "Jiri")
I have been thinking, that by Colletor Studio I will be able for example insert whole CN into "Option 1" or somethink else.
(I want to use whole CN for sorting in my Reports).

Can you send me advice, how can I solve this problem?

Regards Tomas

Hi, Tomas.

What you outlined is definitely a bug in a collector. I will file a defect and I am almost sure this will be included in the next LiveUpdate release (estimation is by end of March).

Does it work for you?

Hi Alexey,

 is it enough information for me, that this bug, will be repaired by new collector release.

New release won't be earlier than at the end of March? :-)))

I suppose, when I will upgrade SSIM to 4.7 with latest SP version, there will be the same collector release?

Thanks, Tomas

Tomas, you're right, new Collectors LiveUpdate release is scheduled to the beginning of the April.

Yes, any SSIM installation contains released build of collectors and you need to run LiveUPdate for collectors to receive the latest version.

-Tatyana

I need to some "workaround" to April :-)

Do you think, can I use from /opt/Symantec/simserver/lib directory simsar.jar utility for export RAW_EVENT to MS Excel?

I try create suitable command (condition):

java -jar simsar.jar -a /eventarchive/ssimlogs/2011 ...

with option -s,  -e and -q, but without result.

It will be enough for me, for example export events to  XLS with range: last month, Product = Check Point(R) FireWall-1 Collector (product_id = 3120) and Event Type ID = User Authenticated (event_id = 512003), but my syntax is still wrong :-(((

Plase, can you help me create this condition ?
Many thanks, Tomas