Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SSIM cannot use on reports Original Event Date

Created: 02 Sep 2012 • Updated: 07 Sep 2012 | 5 comments
Capek Vladimir Czech Rep's picture

Hi,

I describe the situation. Customer has SSIM 4.7 and SEP 12.1 with SQL server. Sometimes happend that collector hung. If i solve the probem. Collector send cached events to SSIM.

ISSUE:

All reports on SSIM which are possible for using with SEP product use on all reports value from EventDate. 

What happends.

If customer has every day cca 0-10 virus incidents and collector hungs, after 2 weeks if collector send evetns again to SSIM the reports cannot show that virus incidents was 0-10 per day. Report use, that 13 days was no virus incident, and 14 days (day of repairing collector) show all virus incidents on same date. Why? 

Every Virus incidents has many values such as virus name, computer name and there are also values EventDate, and Original Event date.

I need used for reports not value EventDate, but OriginalEventDate...

Any solution? Thanx Vladimir

 

Comments 5 CommentsJump to latest comment

CraigV's picture

...moved to the correct forum!

Alternative ways to access Backup Exec Technical Support:

https://www-secure.symantec.com/connect/blogs/alte...

MegL's picture

You have a situation actually most common.

The question is what are you trying to report on and for what purpose. The reason that is the question because in the situation you describe, lets take it a step farther.

- Person on endpoint has virus detected on 30th of the month

- they don't connect to the server until the 3rd

- you run a report for "all virus detections in last month" on the 31st.

- You do not have the virus from the endpoint, because it will not be sent to SSIM until the 3rd.

This is why most of the canned SSIM reports and queries show when the events get to SSIM as the triggering date, in case you don't know you have these situations. There isn't a good canned option that would cover both in obvious way.

I cannot tell by the question that you have asked what type of query you are trying to run. In some cases you will have a radio button at the top of the query to select Logged Date/Time vs Event Date/Time, but that is not available in all query types.

 

 

Capek Vladimir Czech Rep's picture

Hi,

thanx much to you for reply. 

The option Logged Date/Time vs EventDate/Time is not possile. The dates are the same. If the option could be EventDate/Time vs OriginalEventDate/Time then the SSIM would be good product.

 

 

 

 

Vladimir Capek

Security Software Consultant

KathyV's picture

Original Event Date field is only populated when the actual event date is later than logged event date, so SSIM will adjust the event date as Logged event date and use Original Event Date to record the date from raw event.

Avkash K's picture

Hi,

 

Create a new query & check the option of filter within results tab, where you have the option to filter for Original Event Date.

Write a query in the format, " Original Event Date < MM/DD/YYYY" format.

 

 

Regards,

Avkash K