SSIM & "additional" DataStore

Created: 28 Jan 2013 | Updated: 21 Feb 2013 | 4 comments

This issue has been solved. See solution.

Hello, friends!

Can you explain to me how to store event archives files (from /eventarchive) on a remote storage and be able to make the queries of these events in the ssim-console?

I guess I need to set up a new DataStore!? But how?

I'll be very grateful for your help...

Discussion Filed Under:

Security, Symantec Security Information Manager, Backing Up, Basics, Compatibility, Features, Tip/How to

Comments RSS Feed

Comments 4 Comments • Jump to latest comment

alexovi4 Partner Accredited

SSIM & "additional" DataStore - Comment:28 Jan 2013 : Link

Hello.

"DataStores" is a storage of incidents, alerts, tickets of your SSIM installation. "DataStores" is not using for archive storage.

If you want to store event archive on remote storage please:

- specify the type of storage (DAS or NAS)?;

- attache storage to SSIM;

- configure rules for archive events in the next section of SSIM's console: Server Configuration->SSIM Domain->SSIM Archive Role Server->Event Storage Rule.

- after completing previous steps you can create any query in SSIM console for event data.

I hope it help.

masta_blasta

SSIM & "additional" DataStore - Comment:30 Jan 2013 : Link

OK! I attached NAS partition to the SSIM via web-console. Then i configured rules for archive events, like on the picture1 ( I need to store all events younger than 28 feb. 2013 in the NAS partition.)

However, if i'm trying to execute a query in "newevents" archive (like on picture2), i get no result (there is no events) . But, if manually to copy some event files from "default archive" to the "newevents" (whith WinSCP) and make a query in "newevents", it's work!!! (i can see the events).

And, at the same time, the real-time events continue to come to the "default archive" .

What's the problem?