Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

SSIM & "additional" DataStore

Created: 28 Jan 2013 • Updated: 21 Feb 2013 | 4 comments
This issue has been solved. See solution.

Hello, friends!

Can you explain to me how to store event archives files (from /eventarchive) on a remote storage and be able to make the queries of these events in the ssim-console?

I guess I need to set up a new DataStore!? But how?

I'll be very grateful for your help...

Comments 4 CommentsJump to latest comment

alexovi4's picture

Hello.

"DataStores" is a storage of incidents, alerts, tickets of your SSIM installation. "DataStores" is not using for archive storage.

If you want to store event archive on remote storage please:

- specify the type of storage (DAS or NAS)?;

- attache storage to SSIM;

- configure rules for archive events in the next section of SSIM's console: Server Configuration->SSIM Domain->SSIM Archive Role Server->Event Storage Rule.

- after completing previous steps you can create any query in SSIM console for event data.

I hope it help.

masta_blasta's picture

OK! I attached NAS partition to the SSIM via web-console. Then i configured rules for archive events, like on the picture1 ( I need to store all events younger than 28 feb. 2013 in the NAS partition.)

However, if i'm trying to execute a query in "newevents" archive (like on picture2), i get no result (there is no events) . But, if manually to copy some event files from "default archive" to the "newevents" (whith WinSCP) and make a query in "newevents", it's work!!! (i can see the events).

And, at the same time, the real-time events continue to come to the "default archive" . 

What's the problem?

alexovi4's picture

It's happen because "Default Archive" rule located before "newevents".

If you want to write all events to "nastest" folder:

- locate rule "newevents" before "Default";

If you want to write only Cisco logs (for example) to "nastest" folder:

- add filter to "newevents" rule;

- locate rule "newevents" before "Default".

SOLUTION
alexovi4's picture

Some usefull information your can find in the next TECH article:

- http://www.symantec.com/docs/HOWTO11392

- http://www.symantec.com/docs/TECH137518

- http://www.symantec.com/docs/HOWTO11391