Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

SSIM & "additional" DataStore

Created: 28 Jan 2013 • Updated: 21 Feb 2013 | 4 comments
This issue has been solved. See solution.

Hello, friends!

Can you explain to me how to store event archives files (from /eventarchive) on a remote storage and be able to make the queries of these events in the ssim-console?

I guess I need to set up a new DataStore!? But how?

I'll be very grateful for your help...

Comments 4 CommentsJump to latest comment

alexovi4's picture

Hello.

"DataStores" is a storage of incidents, alerts, tickets of your SSIM installation. "DataStores" is not using for archive storage.

If you want to store event archive on remote storage please:

- specify the type of storage (DAS or NAS)?;

- attache storage to SSIM;

- configure rules for archive events in the next section of SSIM's console: Server Configuration->SSIM Domain->SSIM Archive Role Server->Event Storage Rule.

- after completing previous steps you can create any query in SSIM console for event data.

I hope it help.

masta_blasta's picture

OK! I attached NAS partition to the SSIM via web-console. Then i configured rules for archive events, like on the picture1 ( I need to store all events younger than 28 feb. 2013 in the NAS partition.)

However, if i'm trying to execute a query in "newevents" archive (like on picture2), i get no result (there is no events) . But, if manually to copy some event files from "default archive" to the "newevents" (whith WinSCP) and make a query in "newevents", it's work!!! (i can see the events).

And, at the same time, the real-time events continue to come to the "default archive" . 

What's the problem?

 

 

alexovi4's picture

It's happen because "Default Archive" rule located before "newevents".

If you want to write all events to "nastest" folder:

- locate rule "newevents" before "Default";

If you want to write only Cisco logs (for example) to "nastest" folder:

- add filter to "newevents" rule;

- locate rule "newevents" before "Default".

 

SOLUTION
alexovi4's picture

Some usefull information your can find in the next TECH article:

- http://www.symantec.com/docs/HOWTO11392

- http://www.symantec.com/docs/TECH137518

- http://www.symantec.com/docs/HOWTO11391