[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [ISSForum] Difference between LogDB and Display ???



There is a knowledge base article that explains these options.  Go to
iss.custhelp.com and search for Answer ID "2447".

"If you simply wanted events to show up on the console side but not get
written to the database, with WorkGroup Manager you could set the
Display response but NOT set the LogDB reponse in your policy.  Now with
SiteProtector, everything is database driven.  The events need to have
LogDB enabled (doesn't matter about Display) if you want the data to be
seen in the sensor analysis window.

When SiteProtector receives an event that does NOT include the Display
response, it puts it into the database in the SensorData table but marks
the "cleared" flag on that event so that it does not show up in the GUI.
The reason for doing this was backward compatibility with WorkGroup
Manager in cases where the you had some signatures configured to go to
the database but not the console.  This also means you will not see the
alert in the SiteProtector's console unless you have created a filtered
view which specifically includes the Cleared Count column. This
knowledge is not broadly known so most of the time the user just thinks
the event was not detected when in fact it is actually in the DB. All
policies by default have Display and LogDB/LogWithoutRaw checked whether
or not the decode is enabled.

In addition, with LogDB OFF and Display ON, you will be able to see
events using the upcoming SP4 Event Viewer, yet these events will not
clog up the database."


- Adrian
 
-----Original Message-----
From: issforum-bounces@xxxxxxxxxxxxxxxx On Behalf Of keshav anand
Sent: Tuesday, January 25, 2005 6:47 AM
To: issforum@xxxxxxxxxxxxxxxx
Subject: [ISSForum] Difference between LogDB and Display ???

Dear Members,

I can see multiple responses in signatures like email,LogDB,Display,snmp
etc

I have certain queries on difference between LogDB and Display . I think
LogDB will log the events captured by event collector to the sql server
where as Display option will only display it in sitepro console.

ISS support told me that whatever i see in Sensor Analysis tab in
console is being fetched from the database. If so how do i see events
being configured to just display and not to log to database ?

Then whats the difference between LogDB and Display ?

In that case how do i generate reports from database ?

My Sitepro version is of Version 2.0 SP4. Has ISS changed the way of
logging events in this release ? If so why have they provided both
Display and LogDB in signature responses ?




	
		
__________________________________
Do you Yahoo!? 
Yahoo! Mail - You care about security. So do we. 
http://promotions.yahoo.com/new_mail
_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx

The ISSForum mailing list is hosted and managed by Internet Security
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.