Upgrading To Version 8 Problems - Overlaying of Custom Rulesets and Queries
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
Upgrading To Version 8 Problems - Overlaying of Custom ... - 28.Mar.2008 9:52:12 AM
|
|
|
Tmueller
Posts: 34
Score: 0
Joined: 4.Jan.2007
Status: offline
|
What is the status of email support issue CAS-54638?
I want to upgrade to version 8, but I am not going to until there is a new build or release that addresses the problems I had with the duplicate priority numbers and the problems caused by the version 8 overlay of rulesets over my customized rule sets and Events browser queries.
I had to uninstall 8 and reinstall 7 after the havoc caused.
Is this something I am just going to have to live with… Am I going to have to screen print out all my rules and eventsbrowser queries so that I can recreate each one separately after I upgrade to version 8 again. If I have to do this, I am going to start looking for a alternate solution to EventsManager. There are several out there.
I want to start taking advantage of the new functionality in version 8, but you all need to solve the problem associated with duplicate priority numbers and overlay of rulesets and events browser queries.
I don't see anyone reporting this problem. Has not other users customized their rules and queries? Can someone reply to this posting to tell me how they handled this problem?
< Message edited by Tmueller -- 28.Mar.2008 9:55:19 AM >
|
|
|
|
|
RE: Upgrading To Version 8 Problems - Overlaying of Cus... - 28.Mar.2008 10:02:21 AM
|
|
|
claidham
Posts: 8
Score: 0
Joined: 27.Aug.2007
Status: offline
|
I've been concerned about migrating to EM 8 for the reasons that you just posted - we have lots of custom rules and actions assigned, and I'm concerned that I'll need to do a dump of the database so I can pick out my changes before any upgrade.
Thankfully, my company has a policy against using Beta software, so we aren't racing into v8 yet (no Vista, no Longhorn - yet).
|
|
|
|
|
RE: Upgrading To Version 8 Problems - Overlaying of Cus... - 28.Mar.2008 3:43:36 PM
|
|
|
Zergster
Posts: 26
Score: 0
Joined: 4.Mar.2007
Status: offline
|
I upgraded to ESM8.1 Build 031608 this past Monday and just finished uninstalling it and restoring ESM 7.1.
- Email alerts stopped working for collected Windows events.
- Syslog completely failed.
- Default "View" in Events Browser showing "ALL" events makes it even slower. I thought for sure that GFI would address the slowness of switching Views/Queries in the events Browser, at least allowing you to cancel a pending request.
--
update: thanks support for assisting me to fix syslog.
< Message edited by Zergster -- 3.Apr.2008 4:21:15 PM >
|
|
|
|
|
RE: Upgrading To Version 8 Problems - Overlaying of Cus... - 31.Mar.2008 4:26:50 AM
|
|
|
Sven Berger
Posts: 184
Score: 0
Joined: 25.Feb.2008
Status: offline
|
Hi Zergster,
what do you mean with "Syslog completely failed". Was it not collecting Syslog events? Was it not processing those events? Was it not archiving those events? For other people searching this forum, it would be helpful to have a more detailed description and it also makes it easier for me to comment on this.
With regards to the Email Alerts that stopped working, we have a new(ish) option in the uninstallation of old builds that allows you to delete the configuration files. This might also be the root of the Syslog Problem.
Generally, with Email alerts stopping we would be looking at two options: either they weren't sent in the first place, or they did not arrive for various reasons. We can see in the Logs if an alert was sent or not. If there are errors on the SMTP transport level, we can usually see this as well. So I would suggest youo doouble check the Alerting configurations. Maybe something is not quite right there.
Next, has something changed in the way you deliver these Emails? Are they going through a SMTP Remote Domain on the local host or are you sending them directly to the Exchange Server? Are there SMTP Logs which would indicate where the "trail is getting cold"? What about the Anti-SPAM Filter? could that one be responsible for the Emails going lost?
Finally, I would not deny that when a new product is realeased, we sometimes find features that do not work in every environment as expected. This does not mean that we have a policy to release Alpha/Beta code and I would like you to consider the fact that most of our releases like MailArchiver 5, Faxmaker 14 or NSS8 (and even Eventsmanager 7) have been extremely smooth.
With regards to EVM 8 Defaulting to "All Events" as opposed to "Security Events", I will see what we can do about this. Just out of interest, how many Events do you have listed under "All Events"?
Claidham,
the new build of Eventsmanager 8 contains the following Fix: "Rules settings are not imported after upgrading from GFI EventsManager version 7.1". However, if you would like to copy your rule sets as an extra layer of protection, simply stop the EVM7 Service and copy the folder C:\Program Files\GFI\EventsManager 7\Data to a secure location. In there you find the file "selmcfg6.mdb" which holds ALL your configured rules. Depending on how much more customisation you have done, there might be some more files in the Data Folder which you would require. Finally, Eventsmanager 8 is no longer in BETA, the list of Fixes and new features in Evetnsmanager 8 can be viewed under http://forums.gfi.com/!!!!_Eventsmanager_8_Version_and_Build_Information/m_900760896/tm.htm.
Tmueller,
unfortunately I can not find a reference to this case in the forum. If the case was not in the public domain until now, I can not make it public based on a question in the forum. If the case originated in the forum, then I can post an update for the benefit of others. Can you contact your relevant technical Support Department? they might be able to help you on this particular case. Otherwise, if the customer whose case this was is reading this, he/she can obviously post an update as well.
Regarding your specific question, you shouldn't have to use print screen on every rule. Have a look at the selmcfg6.mdb file mentioned above. In there you find the table "RULES" in there you will notice that every Ruleset has a unique "profileID". The priority of every rule is unique WITHIN the ruleset in which it resides. With a little bit of "Access", you should be able to re-create the rule-sets much faster than using print screen.
Finally, this is obviously not an official procedure, but one that I would point out to you AFTER you have tried Build no. 20080318 and if problems persist, I would urge you to contact Technical Support.
I hope this post has adressed at least some issues raised in this thread so far.
< Message edited by Sven Berger -- 31.Mar.2008 5:18:26 AM >
_____________________________
Sven Berger
GFI Software - www.gfi.com
Messaging, Content Security & Network Security Software
|
|
|
|
|
RE: Upgrading To Version 8 Problems - Overlaying of Cus... - 31.Mar.2008 9:27:54 AM
|
|
|
Zergster
Posts: 26
Score: 0
Joined: 4.Mar.2007
Status: offline
|
My syslog says it is processing events but it is not archiving them.
Date,Time,Miliseconds,Level,TID,Location,Function,Message
8-3-31,13:25:6,436,i,114,SyslogCollectorPlugin.dll,Initialize,Initializing syslog plugin.
8-3-31,13:25:7,514,i,10e0,SyslogCollectorPlugin.dll,ProcessData,Syslog process data.
8-3-31,13:25:7,514,i,10e0,SyslogCollectorPlugin.dll,ProcessData,Executing start server.
8-3-31,13:25:7,514,i,10e0,SyslogCollectorPlugin.dll,ProcessData,Syslog configuration loaded.
8-3-31,13:25:7,514,i,10e0,SyslogCollectorPlugin.dll,ProcessData,Starting syslog server.
8-3-31,13:25:8,123,i,738,SyslogCollectorPlugin.dll,SyslogServerThread,Initializing syslog collector; instance id is: ...
8-3-31,13:25:8,123,i,738,SyslogCollectorPlugin.dll,SyslogServerThread,Initializing and starting server
8-3-31,13:25:8,733,i,738,SyslogCollectorPlugin.dll,SyslogServerThread,Settings changes detected ... recreating logic processor ...
8-3-31,13:25:8,733,e,738,SyslogCollectorPlugin.dll,SyslogServerThread,Unexpected exception: Unable to cast object of type 'System.UInt64' to type 'LogicProcessorDP.CreateLogicProcessorResults'.
8-3-31,13:25:13,764,i,738,SyslogCollectorPlugin.dll,SyslogServerThread,Settings changes detected ... recreating logic processor ...
8-3-31,13:25:13,764,e,738,SyslogCollectorPlugin.dll,SyslogServerThread,Unexpected exception: Unable to cast object of type 'System.UInt64' to type 'LogicProcessorDP.CreateLogicProcessorResults'.
8-3-31,13:25:18,764,i,738,SyslogCollectorPlugin.dll,SyslogServerThread,Settings changes detected ... recreating logic processor ...
8-3-31,13:25:18,764,e,738,SyslogCollectorPlugin.dll,SyslogServerThread,Unexpected exception: Unable to cast object of type 'System.UInt64' to type 'LogicProcessorDP.CreateLogicProcessorResults'.
8-3-31,13:25:23,764,i,738,SyslogCollectorPlugin.dll,SyslogServerThread,Settings changes detected ... recreating logic processor ...
8-3-31,13:25:23,764,e,738,SyslogCollectorPlugin.dll,SyslogServerThread,Unexpected exception: Unable to cast object of type 'System.UInt64' to type 'LogicProcessorDP.CreateLogicProcessorResults'.
8-3-31,13:25:28,780,i,738,SyslogCollectorPlugin.dll,SyslogServerThread,Settings changes detected ... recreating logic processor ...
8-3-31,13:25:28,780,e,738,SyslogCollectorPlugin.dll,SyslogServerThread,Unexpected exception: Unable to cast object of type 'System.UInt64' to type 'LogicProcessorDP.CreateLogicProcessorResults'.
|
|
|
|
|
RE: Upgrading To Version 8 Problems - Overlaying of Cus... - 31.Mar.2008 10:21:25 AM
|
|
|
Sven Berger
Posts: 184
Score: 0
Joined: 25.Feb.2008
Status: offline
|
quote:
8-3-31,13:25:8,733,e,738,SyslogCollectorPlugin.dll,SyslogServerThread,Unexpected exception: Unable to cast object of type 'System.UInt64' to type 'LogicProcessorDP.CreateLogicProcessorResults'
Hi Zergster,
We had this problem reported twice so far. I have opened a case for you with reference CAS-61043-CSN5.
Please reply to the Email that I sent you to the email-Adresse that you used to register.
Basically, the Logs show that Syslog Data is collected, but the code can not deal with the Data. I'm sure we can find a solution to this.
_____________________________
Sven Berger
GFI Software - www.gfi.com
Messaging, Content Security & Network Security Software
|
|
|
|
|
RE: Upgrading To Version 8 Problems - Overlaying of Cus... - 31.Mar.2008 6:37:17 PM
|
|
|
Tmueller
Posts: 34
Score: 0
Joined: 4.Jan.2007
Status: offline
|
Please see the Posts I made on 2/19/2008. The original post was called "User Experience with EventsManager 8.0 Beta 1.
Mark Busuttil responded wtih the Case ticket 54638.
|
|
|
|
|
RE: Upgrading To Version 8 Problems - Overlaying of Cus... - 1.Apr.2008 7:08:46 AM
|
|
|
Sven Berger
Posts: 184
Score: 0
Joined: 25.Feb.2008
Status: offline
|
quote:
ORIGINAL: Zergster
- Default "View" in Events Browser showing "ALL" events makes it even slower. I thought for sure that GFI would address the slowness of switching Views/Queries in the events Browser, at least allowing you to cancel a pending request.
Hi Zergster,
when you open the Eventsbrowser, you can now right-click on "Security Events" and select "Move Up". "All Events" and "Security Events" will swap places and it will no longer default to "All Evetns" when you open the Eventsbrowser.
_____________________________
Sven Berger
GFI Software - www.gfi.com
Messaging, Content Security & Network Security Software
|
|
|
|
|
RE: Upgrading To Version 8 Problems - Overlaying of Cus... - 14.Apr.2008 4:40:08 AM
|
|
|
Andy
Posts: 4
Score: 0
Joined: 14.Apr.2008
Status: offline
|
Hi All,
I'm quite new here in this forum. Hopefully somebody can guide me. I'm having problem importing my rulesets and other configurations from EM 7.1 to EM 8. Anybody has any idea or is it EM 8 is fully bugged? Thanks.
Regards,
|
|
|
|
|
RE: Upgrading To Version 8 Problems - Overlaying of Cus... - 14.Apr.2008 10:13:10 AM
|
|
|
Tmueller
Posts: 34
Score: 0
Joined: 4.Jan.2007
Status: offline
|
Andy - That is the whole point of why I made my original post. I had great difficulty in importing my rulesets also.
Finally, someone is confirming my problem publically!
|
|
|
|
|
RE: Upgrading To Version 8 Problems - Overlaying of Cus... - 15.Apr.2008 1:06:07 PM
|
|
|
Sven Berger
Posts: 184
Score: 0
Joined: 25.Feb.2008
Status: offline
|
Hi Tmueller,
my impression was that the case was closed at the time because you chose live with EVM 7.1 for the time being. After that we had no contact and the case was archived.
We can certainly re-open the case, and I will send you an email regarding the next steps. I will obviously try to reproduce the issue the way that you did, but we will almost certainly need to collect some files. Either way, I will send an email later today.
andy,
the behaviour that was described at the beginning of this thread is that when you upgrade from 7.1 to 8 and if you have some of your own rules created prior to the upgrade, the priorities of these rules will clash, and you end up with many duplicate priorities.
Is that the issue you are experiencing?
_____________________________
Sven Berger
GFI Software - www.gfi.com
Messaging, Content Security & Network Security Software
|
|
|
|
|
RE: Upgrading To Version 8 Problems - Overlaying of Cus... - 20.Apr.2008 10:11:25 PM
|
|
|
Andy
Posts: 4
Score: 0
Joined: 14.Apr.2008
Status: offline
|
Hi Sven,
Thanks for trying to help "us" out here. It seems that upgrading to 7.1, I have no problems with
1. importing of my workstation list or any other list
2. importing of my queries/ruleset.
but once I installed 8.0, it seems everything went not the way I wanted it. I'm unable to import any of the above and would have to start from scratch in creating the above again in the new version. Hence, I have to resort to using Version 7 for the time being. Thanks.
Regards,
|
|
|
|
|
RE: Upgrading To Version 8 Problems - Overlaying of Cus... - 21.Apr.2008 3:09:21 AM
|
|
|
Sven Berger
Posts: 184
Score: 0
Joined: 25.Feb.2008
Status: offline
|
Hi Andy,
If you were using the first Eventsmanager 8 build, we did have some problems with importing old checks from it. However, this should have been fixed with Build number 20080318. You can find this build on http://kbase.gfi.com/showarticle.asp?id=KBID003321 and you can also view the change log compared to the previous (first) version of EVM 8.
Personally, I have tested this, created my own rules in EVM7.1 in two different processing rules. I then renamed one processing rule (so that the EVM8 installation would not overwrite my own custom ones), and did the upgrade. Both Rulesets were correctly imported from my EVM 7.1 installtion.
When you uninstall EVM 7.1, it leaves the installation folder "Eventsmanager7" in the "Program Files\GFI" directory with all the configurationsettings. EVM 8 will attempt to make a clean install in a newly created "Eventsmanager8" directory. You must make sure that you install EVM8 into the EVM 7.1 directory and all the settings from the previous installation will be retained.
_____________________________
Sven Berger
GFI Software - www.gfi.com
Messaging, Content Security & Network Security Software
|
|
|
|
|
RE: Upgrading To Version 8 Problems - Overlaying of Cus... - 23.Apr.2008 8:10:54 AM
|
|
|
mfhjek0
Posts: 20
Score: 0
Joined: 14.Jun.2006
Status: offline
|
Let me add another unsatisfied customer on the version 8.1 upgrade and lost configuration settings. Problem CAS-62419-BDUR GFI:00103942 was opened on April 7th and am sitll waiting for some help from the "quaility metrics team" where my problem was forwarded. And this was on the new build, 20080318.
The infamous statement that "Build upgrades will retain your previous configuration settings...." was not true in my case. Also the "Import Configurations" feature apparently does not work when trying to import Ver 7.1.1 settings into Ver 8. No back level compatability, or recovery option, is poor programming. At least provide a migration tool....
Out of frustration I have asked for instructions to go back to Ver 7, but there has been no response for 2 days. I guess I could try it myself, but I can only imagine what havoc that may cause.
You can bet I am going to ask for an extension on my maintenance contract for however many weeks I am down and can't use Events Manager.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
