The SDM command line functions can be used instead of the GUI. The command line can be used to create a batch file or cron job for SDM operations, but Novell recommends using auto-archiving instead. Auto-archiving can be configured on the
tab of the SDM GUI.The first step to using the SDM command line is to create a file that stores the connection properties for the database.
[path to SDM] –action [actionname] [action-specific flags] [path to database connection file]
The specific flags for each action are described below.
startGui (DEFAULT) -action startGui [-connectFile <filePath>]
The saveConnection command saves the database connection details to a specified file. These connection details are necessary for all other SDM command line operations.
If you run the SDM GUI with saveConnection command is not necessary. You can use the sdm.connect file located in <install_directory>/sdm.
selected, theThe saveConnection command uses the following flags:
Table 13-2 saveConnection command Flags
The application saves all the above connection details along with the encrypted password to the sdm.connect file. All other SDM command line commands refer to the specified file. This step should be completed the first time you use the SDM command line on a machine and every time you want to change the connection details the application uses.
To run saveConnection:
Execute the command as follows:
-action saveConnection -server <postgresql> -host <hostIpaddress/hostName> -port <portnum> -database <databaseName/SID> [-driverProps <propertiesFile] {-user <dbUser> -password <dbPass> | -winAuth} -connectFile <filenameToSaveConnection>
The following example saves connections for a host with an IP address of 10.0.0.1 at port 5432.
PostgreSQL Example:
-action saveConnection -server postgresql -host 10.0.0.1 -port 5432 -database SIEM -user dbauser -password xxxxxx -connectFile sdm.connect
This saves the connection details to the sdm.connect file. the rest of the commands take this filename as input to connect to the designated database and to perform their actions.
The addPartitions action adds the required number of partitions in the following tables according to the partition configuration settings:
PostgreSQL:
EVENTS
AUDIT_RECORD
CORRELATED_EVENTS
EVT_DEST_EVT_NAME_SMRY_1
EVT_DEST_SMRY_1
EVT_DEST_TXNMY_SMRY_1
EVT_PORT_SMRY_1
EVT_SEV_SMRY_1
EVT_SRC_SMRY_1
NOTE:Partitions are added in database both for events and correlated events if you select any one of these two. Partitions are added for all the summary tables if you select any one of them.
If you have configured the database to have 10 days worth of partitions, every time you run addPartitions it checks to see if you have 10 days of partitions available. If you have enough partitions for the next 10 days it does nothing. If not, it adds the required number of partitions.
This action uses the following flags:
Table 13-3 Adding Partition Flags
Command |
Command FLags |
---|---|
-action |
addPartitions |
-connectFile |
<filePath> |
-tableName |
<table name> |
-keepDays |
<days to add> |
To run addPartitions:
Execute this command as follows:
-action addPartitions -connectFile <filePath> -tableName <table name> -keepDays <days to add>
./sdm -action addPartitions -connectFile sdm.connect -tableName EVENTS -keepDays 10
The dropPartition action drops all the partitions older than the flag keepDays from the following tables:
EVENTS
AUDIT_RECORDS
CORRELATED_EVENTS
EVT_DEST_EVT_NAME_SMRY_1
EVT_DEST_SMRY_1
EVT_DEST_TXNMY_SMRY_1
EVT_PORT_SMRY_1
EVT_SEV_SMRY_1
EVT_SRC_SMRY_1
To prevent unintentional loss of data, this action does not drop any partitions that are not archived. If you want to delete unarchived partitions, use the forceDelete flag.
WARNING:If - forceDelete is used, the deleted data cannot be recovered, so use this option with caution.
This action uses the following flags:
Table 13-4 Dropping Partition Flags
NOTE:Sentinel partitioned tables are organized into two groups. One is the EVENTS table group, which includes EVENTS and CORRELATED_EVENTS; the other is the summary table group, which includes all summary, or aggregate, tables. If any one of the tables in the group is specified by the –tableName parameter, the dropPartition operation is applied to all tables in that group.
To run dropPartition:
Execute this command as follows:
-action dropPartitions -keepDays <numberofDaysToKeep> -tableName <table name> [-forceDelete <true/false>] -connectFile <filePath>
The following examples drops all the partitions older than 30 days, making sure all the partitions are archived. All partitions that were skipped (not removed) because they have not been archived are listed when the operation completes.
PostgreSQL Example:
./sdm –action dropPartitions –keepDays 30 –tableName CORRELATED_EVENTS –forceDelete false –connectFile sdm.connect
The viewPartitions action displays the partition summary of the following supported tables:
EVENTS
AUDIT_RECORDS
CORRELATED_EVENTS
EVT_DEST_EVT_NAME_SMRY_1
EVT_DEST_SMRY_1
EVT_DEST_TXNMY_SMRY_1
EVT_PORT_SMRY_1
EVT_SEV_SMRY_1
EVT_SRC_SMRY_1
NOTE:You need to have the SDM installed in order to view the partition summary.
This command uses the following flags:
Table 13-5 Viewing Partition Summaries Flags
Command |
Command Flags |
---|---|
-action |
viewPartitions |
-tableName |
<table name> |
-connectFile |
<filePath> |
To View Partition Summaries:
Execute this command as follows:
-action viewPartitions -tableName <table name> -connectFile <filePath>
The following example, displays the list of partitions of the EVENTS table and status of each partition.
./sdm –action viewPartitions –tableName EVENTS –connectFile sdm.connect
Run the archiveData action after you set your archive configuration (configured in the
tab in the SDM GUI). This action archives the data from the given table name according to the archive configuration. It archives data from:EVENTS
AUDIT_RECORDS
CORRELATED_EVENTS
EVT_DEST_EVT_NAME_SMRY_1
EVT_DEST_SMRY_1
EVT_DEST_TXNMY_SMRY_1
EVT_PORT_SMRY_1
EVT_SEV_SMRY_1
EVT_SRC_SMRY_1
NOTE:Sentinel partitioned tables are organized into two groups. One is the EVENTS table group, which includes EVENTS and CORRELATED_EVENTS; the other is the summary table group, which includes all summary, or aggregate, tables. If any one of the table in the group is specified by the –tableName parameter, the archiveData operation is applied to all tables in that table group.
This command uses the following flags:
Table 13-6 Archiving Data Flags
Command |
Command Flags |
---|---|
-action |
archiveData |
-connectFile |
<filePath> |
-tableName |
<table name> |
-keepDays |
<numberOfDaysToKeep> |
To run archiveData:
Execute this command as follows:
-action archiveData -connectFile <filePath> -tableName <table name> -keepDays <numberOfDaysToKeep>
The following examples archive events and correlated events from the EVENTS and CORRELATED_EVENTS tables according to the value set during archive configuration.
./sdm -action archiveData ‑connectFile sdm.connect –tableName EVENTS –keepDays 30
The importData action imports data between the given dates into the Sentinel database so it can be used for historical reporting or other purposes. The data is imported into the following tables:
EVENTS
AUDIT_RECORDS
CORRELATED_EVENTS
EVT_DEST_EVT_NAME_SMRY_1
EVT_DEST_SMRY_1
EVT_DEST_TXNMY_SMRY_1
EVT_PORT_SMRY_1
EVT_SEV_SMRY_1
EVT_SRC_SMRY_1
NOTE:The tables are imported in Oracle with the same name they are archived with.
If the data has already been imported or there is no archived data found between the specified dates, the command returns a notification.
The application imports data from each file into a table and builds the historical view on all the historical tables. The report view joins on the original table and historical view. All Sentinel reports use the report view, so they see any imported data.
This command uses the following flags:
Table 13-7 Importing Data Flags
Command |
Command Flags |
---|---|
-action |
importData |
-tableName |
<table name> |
-startDate |
<mm/dd/yyyy hh24:mi:ss> |
-endDate |
<mm/dd/yyyy hh24:mi:ss> |
-connectFile |
<filePath> |
hh24 is hours represented in 24-hour format. For example, 1:15:00 p.m. is 13:15:00 and 3:00:00 a.m. is 03:00:00.
NOTE:The files to be imported must exist in the directory with their originalfile names.
Place all the files you want to import in a specific directory (that is, dirPath - <directory to import files from>) and execute the following command
-action importData -startDate <mm/dd/yyyy hh24:mi:ss> -endDate <mm/dd/yyyy hh24:mi:ss> -tableName <table name> -connectFile <filePath>
The following example imports the archived files from the
directory containing the data between dates 09/25/2007 00:00:00 (Sep 25 midnight) and 09/26/2007 00:00:00 (Sep 26 midnight)../sdm –action importData –startDate 09/25/2007 00:00:00 –endDate 09/26/2007 00:00:00 -tableName Events –connectFile sdm.connect
The droImported action deletes the imported data between the given dates from the following supported tables:
EVENTS
AUDIT_RECORDS
CORRELATED_EVENTS
EVT_DEST_EVT_NAME_SMRY_1
EVT_DEST_SMRY_1
EVT_DEST_TXNMY_SMRY_1
EVT_PORT_SMRY_1
EVT_SEV_SMRY_1
EVT_SRC_SMRY_1
NOTE:The tables are imported in Oracle with the same name they are archived with.
If there is no data imported between two specified dates, the command returns a notification.
This command uses the following flags:
Table 13-8 Deleting Imported Data Flags
|
|
---|---|
-action |
dropImported |
-startDate |
<mm/dd/yyyy hh24:mi:ss> |
-endDate |
<mm/dd/yyyy hh24:mi:ss> |
-tableName |
<table name> |
-connectFile |
<filePath> |
NOTE:hh24 is hours represented in 24-hour format. For example, 1:15:00 p.m. is 13:15:00 and 3:00:00 a.m. is 03:00:00.
To run dropImported:
Execute this command as follows:
-action dropImported -startDate <mm/dd/yyyy hh24:mi:ss> -endDate <mm/dd/yyyy hh24:mi:ss> -tableName <table name> -connectFile <filePath>
The following example deletes the imported data between the given dates from the tables.
./sdm –action dropImported –startDate 09/25/2007 00:00:00 –endDate 09/26/2007 00:00:00 -tableName Events –connectFile sdm.connect
In tablespace management, the command line option allows you to view Sentinel database space usage
The dbstats action displays the Sentinel database usage for all Sentinel tablespaces in Oracle and Sentinel file groups in MS SQL.
This command uses the following flags:
Table 13-9 Viewing Sentinel Database Space Usage Flags
Command |
Command Flags |
---|---|
-action |
dbstats |
-connectFile |
<filePath> |
To view Sentinel Database Space Usage (Command Line):
Execute the following command:
-action dbStats -connectFile <filePath>
The following example displays the tablespaces of Sentinel database with their total space, used space and free space available.
./sdm –action dbStats –connectFile sdm.connect