Support Center > Search Results > SecureKnowledge Details
How to run SmartEvent Offline Jobs for multiple log files Technical Level
Solution

To run SmartEvent Offline Jobs for multiple files at once, perform the following steps on the SmartEvent server (running on Gaia / SecurePlatform / Linux OS):

  1. On SmartEvent NGSE server (step # 1 does not apply to R80 and R80.10):

    An additional hotfix is required before doing this procedure.

    1. Install the hotfix from sk111313 - SmartEvent NGSE Stability and Enhancements hotfix (Build 901003089_1 and above).

    2. Reboot the machine.

    3. Enable the relevant event definition in SmartEvent NGSE GUI.

      Example:
    4. Proceed to the next step.

  2. Connect with SmartDashboard to Security Management Server / Domain Management Server.

  3. In SmartDashboard, make sure that the object of the SmartEvent server is defined and that the following blades are enabled in the object (on the 'Management' tab):

    • Logging & Status

    • SmartEvent Correlation Unit

  4. Connect with SmartEvent GUI client to SmartEvent Server.

  5. In SmartEvent GUI client:

    1. Go to 'Policy' tab

    2. Go to 'General Settings'

    3. Go to 'Initial Settings'

    4. Go to 'Correlation Units'

    5. Define the local Correlation Unit to use (read logs from) the local Log Server

  6. In SmartEvent GUI client, go to 'Actions' menu - click on 'Install Event Policy' - install the policy onto the local Correlation Unit.

  7. Copy the offline log files and their pointer files (*.log, *.logptr, *.logaccount_ptr, *.loginitial_ptr) to some other directory on the SmartEvent server (e.g., /var/log/offline).

  8. Download the required tools:

    To download these packages you will need to have a Software Subscription or Active Support plan.

    SmartEvent server Version and OS Link
    R77, R77.10, R77.20, R77.30, NGSE
    on Gaia / SecurePlatform / Linux
    (TGZ)
    R80, R80.10, and R80.20 on Gaia (*) (TGZ)

    (*) Effective as of 25 June 2017, this package was replaced to add support for R80.10.

  9. Copy the SmartEvent Offline Jobs tool (OfflineJobExecuter_<VERSION>.tgz) file to the SmartEvent server (into some directory, e.g., /some_path_to_tool/).

  10. Connect to the command line on the SmartEvent server (over SSH, or console).

  11. Log into Expert mode.

  12. Unpack the tool package:

    [Expert@HostName]# cd /some_path_to_tool/
    [Expert@HostName]# tar -zxvf OfflineJobExecuter_<VERSION>.tgz
  13. Assign the execute permission to the tool files:

    [Expert@HostName]# chmod a+x OfflineJobExecuter
    [Expert@HostName]# chmod a+x fwm_cmd_client
  14. Run the tool from the same path it was unpacked in step 12. (use this exact syntax with "nohup"):

    [Expert@HostName]# nohup ./OfflineJobExecuter -p <Path_to_the_Directory_with_Log_Files>

    Notes:

    • The OfflineJobStatus.txt tool is used only to send the logs through the Correlation Unit to find correlated events.

    • Monitor the progress in the OfflineJobStatus.txt file.
      Note: This file will be created in the same directory where OfflineJobExecuter was executed (only when the tool runs).

    • If the tool stops, continue the procedure by running:

      [Expert@HostName]# nohup ./OfflineJobExecuter -c

      Note: You can also refer to the nohup.out file that is created in the same directory where OfflineJobExecuter was executed (or in the $HOME directory).

Important Note: Once the tool finishes running, an indication for the recently performed offline job will not appear in the SmartEvent GUI. This is the expected behavior.

Important Note (relevant for SmartEvent NGSE only): Some of the blades are not updated automatically with the new imported offline jobs. To update them, copy the relevant logs into the $FWDIR/logs/ directory, and SmartEvent NGSE will be updated automatically (a reboot may be necessary).

Alternatively, it is possible to send the logs to the Log Server using the CPLogLogSender utility (available as part of Security Checkup Tool package - refer to the "Security Checkup Tool v1.204 for R77.30 Administration Guide" provided in the sk83500 - How to run a Mirror Port Proof of Concept (PoC)).

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment