13.3 Using the SDM Command Line

The SDM command line functions can be used instead of the GUI. The command line can be used to create a batch file or cron job for SDM operations, but Novell recommends using auto-archiving instead. Auto-archiving can be configured on the Partition Configuration tab of the SDM GUI.

13.3.1 Prerequisite

The first step to using the SDM command line is to create a file that stores the connection properties for the database.

13.3.2 Syntax of the SDM command

[path to SDM] –action [actionname] [action-specific flags] [path to database connection file]

The specific flags for each action are described below.

13.3.3 Starting the SDM GUI

startGui (DEFAULT)
-action startGui [-connectFile <filePath>]

13.3.4 Saving Connection Properties for Sentinel Data Manager

The saveConnection command saves the database connection details to a specified file. These connection details are necessary for all other SDM command line operations.

If you run the SDM GUI with Save connection settings selected, the saveConnection command is not necessary. You can use the sdm.connect file located in <install_directory>/sdm.

The saveConnection command uses the following flags:

Table 13-2 saveConnection command Flags

Command

Command Flags

-action

saveConnection

-server

<postgresql>

-host

<database host IP Address or host name to connect to>

-port

<database port number to connect to >

-database

<database name/SID>

-driverProps

<Properties File>

-dbuser

<database username>

-password

<database password>

winAuth

Used for Windows authentication. When using this option, -user and –password are not needed.

connectFile

<filenameToSaveConnection>

The application saves all the above connection details along with the encrypted password to the sdm.connect file. All other SDM command line commands refer to the specified file. This step should be completed the first time you use the SDM command line on a machine and every time you want to change the connection details the application uses.

To run saveConnection:

  1. Execute the command as follows:

    -action saveConnection -server <postgresql> -host <hostIpaddress/hostName> -port <portnum> -database <databaseName/SID> [-driverProps <propertiesFile] {-user <dbUser> -password <dbPass> | -winAuth} -connectFile <filenameToSaveConnection>

    The following example saves connections for a host with an IP address of 10.0.0.1 at port 5432.

    • PostgreSQL Example:

      -action saveConnection -server postgresql -host 10.0.0.1 -port 5432 -database SIEM -user dbauser -password xxxxxx -connectFile sdm.connect

    This saves the connection details to the sdm.connect file. the rest of the commands take this filename as input to connect to the designated database and to perform their actions.

13.3.5 Adding Partitions

The addPartitions action adds the required number of partitions in the following tables according to the partition configuration settings:

  • PostgreSQL:

    • EVENTS

    • AUDIT_RECORD

    • CORRELATED_EVENTS

    • EVT_DEST_EVT_NAME_SMRY_1

    • EVT_DEST_SMRY_1

    • EVT_DEST_TXNMY_SMRY_1

    • EVT_PORT_SMRY_1

    • EVT_SEV_SMRY_1

    • EVT_SRC_SMRY_1

NOTE:Partitions are added in database both for events and correlated events if you select any one of these two. Partitions are added for all the summary tables if you select any one of them.

If you have configured the database to have 10 days worth of partitions, every time you run addPartitions it checks to see if you have 10 days of partitions available. If you have enough partitions for the next 10 days it does nothing. If not, it adds the required number of partitions.

This action uses the following flags:

Table 13-3 Adding Partition Flags

Command

Command FLags

-action

addPartitions

-connectFile

<filePath>

-tableName

<table name>

-keepDays

<days to add>

To run addPartitions:

  1. Execute this command as follows:

    -action addPartitions -connectFile <filePath> -tableName <table name> -keepDays <days to add>

    ./sdm -action addPartitions -connectFile sdm.connect -tableName EVENTS -keepDays 10

13.3.6 Dropping Partitions

The dropPartition action drops all the partitions older than the flag keepDays from the following tables:

  • EVENTS

  • AUDIT_RECORDS

  • CORRELATED_EVENTS

  • EVT_DEST_EVT_NAME_SMRY_1

  • EVT_DEST_SMRY_1

  • EVT_DEST_TXNMY_SMRY_1

  • EVT_PORT_SMRY_1

  • EVT_SEV_SMRY_1

  • EVT_SRC_SMRY_1

To prevent unintentional loss of data, this action does not drop any partitions that are not archived. If you want to delete unarchived partitions, use the forceDelete flag.

WARNING:If - forceDelete is used, the deleted data cannot be recovered, so use this option with caution.

This action uses the following flags:

Table 13-4 Dropping Partition Flags

Command

Command Flags

-action

dropPartitions

-keepDays

<number of days to keep>

-forceDelete (optional)

<either “true” or “false”>

This defaults to false if not specified, meaning that only the partitions that are older than keepDays and are already archived are dropped.

If this is set to true, all partitions older than keepDays are dropped, even if they have not been archived.

-connectFile

<filePath>

-tableName

<table name>

NOTE:Sentinel partitioned tables are organized into two groups. One is the EVENTS table group, which includes EVENTS and CORRELATED_EVENTS; the other is the summary table group, which includes all summary, or aggregate, tables. If any one of the tables in the group is specified by the –tableName parameter, the dropPartition operation is applied to all tables in that group.

To run dropPartition:

  1. Execute this command as follows:

    -action dropPartitions -keepDays <numberofDaysToKeep> -tableName <table name> [-forceDelete <true/false>] -connectFile <filePath>

    The following examples drops all the partitions older than 30 days, making sure all the partitions are archived. All partitions that were skipped (not removed) because they have not been archived are listed when the operation completes.

    PostgreSQL Example:

    ./sdm –action dropPartitions –keepDays 30 –tableName CORRELATED_EVENTS –forceDelete false –connectFile sdm.connect

13.3.7 Viewing Partition Summaries

The viewPartitions action displays the partition summary of the following supported tables:

  • EVENTS

  • AUDIT_RECORDS

  • CORRELATED_EVENTS

  • EVT_DEST_EVT_NAME_SMRY_1

  • EVT_DEST_SMRY_1

  • EVT_DEST_TXNMY_SMRY_1

  • EVT_PORT_SMRY_1

  • EVT_SEV_SMRY_1

  • EVT_SRC_SMRY_1

NOTE:You need to have the SDM installed in order to view the partition summary.

This command uses the following flags:

Table 13-5 Viewing Partition Summaries Flags

Command

Command Flags

-action

viewPartitions

-tableName

<table name>

-connectFile

<filePath>

To View Partition Summaries:

  1. Execute this command as follows:

    -action viewPartitions -tableName <table name> -connectFile <filePath>

    The following example, displays the list of partitions of the EVENTS table and status of each partition.

    ./sdm –action viewPartitions –tableName EVENTS –connectFile sdm.connect

13.3.8 Archiving Data

Run the archiveData action after you set your archive configuration (configured in the Partition Configuration tab in the SDM GUI). This action archives the data from the given table name according to the archive configuration. It archives data from:

  • EVENTS

  • AUDIT_RECORDS

  • CORRELATED_EVENTS

  • EVT_DEST_EVT_NAME_SMRY_1

  • EVT_DEST_SMRY_1

  • EVT_DEST_TXNMY_SMRY_1

  • EVT_PORT_SMRY_1

  • EVT_SEV_SMRY_1

  • EVT_SRC_SMRY_1

NOTE:Sentinel partitioned tables are organized into two groups. One is the EVENTS table group, which includes EVENTS and CORRELATED_EVENTS; the other is the summary table group, which includes all summary, or aggregate, tables. If any one of the table in the group is specified by the –tableName parameter, the archiveData operation is applied to all tables in that table group.

This command uses the following flags:

Table 13-6 Archiving Data Flags

Command

Command Flags

-action

archiveData

-connectFile

<filePath>

-tableName

<table name>

-keepDays

<numberOfDaysToKeep>

To run archiveData:

  1. Execute this command as follows:

    -action archiveData -connectFile <filePath> -tableName <table name> -keepDays <numberOfDaysToKeep>

    The following examples archive events and correlated events from the EVENTS and CORRELATED_EVENTS tables according to the value set during archive configuration.

    ./sdm -action archiveData ‑connectFile sdm.connect –tableName EVENTS –keepDays 30

13.3.9 Importing Data

The importData action imports data between the given dates into the Sentinel database so it can be used for historical reporting or other purposes. The data is imported into the following tables:

  • EVENTS

  • AUDIT_RECORDS

  • CORRELATED_EVENTS

  • EVT_DEST_EVT_NAME_SMRY_1

  • EVT_DEST_SMRY_1

  • EVT_DEST_TXNMY_SMRY_1

  • EVT_PORT_SMRY_1

  • EVT_SEV_SMRY_1

  • EVT_SRC_SMRY_1

NOTE:The tables are imported in Oracle with the same name they are archived with.

If the data has already been imported or there is no archived data found between the specified dates, the command returns a notification.

The application imports data from each file into a table and builds the historical view on all the historical tables. The report view joins on the original table and historical view. All Sentinel reports use the report view, so they see any imported data.

This command uses the following flags:

Table 13-7 Importing Data Flags

Command

Command Flags

-action

importData

-tableName

<table name>

-startDate

<mm/dd/yyyy hh24:mi:ss>

-endDate

<mm/dd/yyyy hh24:mi:ss>

-connectFile

<filePath>

hh24 is hours represented in 24-hour format. For example, 1:15:00 p.m. is 13:15:00 and 3:00:00 a.m. is 03:00:00.

NOTE:The files to be imported must exist in the directory with their originalfile names.

To run importData:

  1. Place all the files you want to import in a specific directory (that is, dirPath - <directory to import files from>) and execute the following command

    -action importData -startDate <mm/dd/yyyy hh24:mi:ss> -endDate <mm/dd/yyyy hh24:mi:ss> -tableName <table name> -connectFile <filePath>

    The following example imports the archived files from the tmpdirectory containing the data between dates 09/25/2007 00:00:00 (Sep 25 midnight) and 09/26/2007 00:00:00 (Sep 26 midnight).

    ./sdm –action importData –startDate 09/25/2007 00:00:00 –endDate 09/26/2007 00:00:00 -tableName Events –connectFile sdm.connect

13.3.10 Deleting Imported Data

The droImported action deletes the imported data between the given dates from the following supported tables:

  • EVENTS

  • AUDIT_RECORDS

  • CORRELATED_EVENTS

  • EVT_DEST_EVT_NAME_SMRY_1

  • EVT_DEST_SMRY_1

  • EVT_DEST_TXNMY_SMRY_1

  • EVT_PORT_SMRY_1

  • EVT_SEV_SMRY_1

  • EVT_SRC_SMRY_1

NOTE:The tables are imported in Oracle with the same name they are archived with.

If there is no data imported between two specified dates, the command returns a notification.

This command uses the following flags:

Table 13-8 Deleting Imported Data Flags

 

 

-action

dropImported

-startDate

<mm/dd/yyyy hh24:mi:ss>

-endDate

<mm/dd/yyyy hh24:mi:ss>

-tableName

<table name>

-connectFile

<filePath>

NOTE:hh24 is hours represented in 24-hour format. For example, 1:15:00 p.m. is 13:15:00 and 3:00:00 a.m. is 03:00:00.

To run dropImported:

  1. Execute this command as follows:

    -action dropImported -startDate <mm/dd/yyyy hh24:mi:ss> -endDate <mm/dd/yyyy hh24:mi:ss> -tableName <table name> -connectFile <filePath>

    The following example deletes the imported data between the given dates from the tables.

    ./sdm –action dropImported –startDate 09/25/2007 00:00:00 –endDate 09/26/2007 00:00:00 -tableName Events –connectFile sdm.connect

13.3.11 Viewing Sentinel Database Space Usage

In tablespace management, the command line option allows you to view Sentinel database space usage

The dbstats action displays the Sentinel database usage for all Sentinel tablespaces in Oracle and Sentinel file groups in MS SQL.

This command uses the following flags:

Table 13-9 Viewing Sentinel Database Space Usage Flags

Command

Command Flags

-action

dbstats

-connectFile

<filePath>

To view Sentinel Database Space Usage (Command Line):

  1. Execute the following command:

    -action dbStats -connectFile <filePath>

    The following example displays the tablespaces of Sentinel database with their total space, used space and free space available.

    ./sdm –action dbStats –connectFile sdm.connect