kb: September 2016

Wednesday, September 14, 2016

SwimLane/NITRO Python script Query for existing devices

import base64
import requests
import json
from requests import session
import getpass
#This script will add data sources into Nitro. Works with Windows and Linux devices. Can easily be modified to add more types
#By changing the typeId in the script. There's over 500 typeId's though so only add commonly used ones.
#Created by Gil Turner (Turner_Gil@bah.com)

#Gets the a devices unique id a device
def getDSid(dataName):
params = {"types": ["THIRD_PARTY"],"filterByRights" : "false"}
params_json = json.dumps(params)
DeviceTreeURL = "https://ashbnitroesm.bah.com/rs/esm/devGetDeviceList"
response = requests.post(DeviceTreeURL, data=params_json, headers=payloadID, verify=False)
data = response.json()
DSid = ""
for item in data.get('return'):
if item.get('name').lower() == dataName.lower():
DSid = item.get('id').get('id')
return DSid

#username and password hard coded for now so its easier to test
username1 = ""
password1 = ""

#Later will have user login with their creds
username = input("Enter your username: ")
password = getpass.getpass("Enter your password: ")

Authoritize = 'Basic (' + str(base64.b64encode(bytearray(username + ":" + password, 'ascii')), 'ascii') + ')'
payload = {"Authorization": Authoritize}

#Actually will login to nitro with the credientials as well as get the sessionID
res = requests.post('https://ashbnitroesm.bah.com/rs/esm/login', headers=payload, verify=False)
x = res.text.index('sessionID') + 10
id = ""
while res.text[x] != "<":
id += res.text[x]
x = x + 1
#print(id)
payloadID = {"Authorization": "Session " + id}

#user inputted information about the data source they want to add.
dsType = input("Type either windows or linux for the type of device you want to add: ")
dsID = input("Enter either no or the name of the Sub group you want to input the data source. If no is typed, the data source will default to Receiver02: ")
idsID = ""
if dsID == "no":
idsID = 144117387099111424
else:
idsID = getDSid(dsID)

#adding windows data source
if dsType == "windows":
dsNameW = input("Enter the name of the data source you want to create: ")
dsIPW = input("Enter the ip address of the data source you want to create: ")
datarW = {"datasource": {
"name": dsNameW,
"childEnabled": False,
"childCount": 0,
"childType": 1,
"ipAddress": dsIPW,
"url": "",
"enabled": True,
"idmId": 0,
"parameters": [{"key": "collector", "value": "npp"}, {"key": "elm_logging", "value": "no"}, {"key": "encrypt", "value": "F"}, {"key": "keepme", "value": ""}, {"key": "parsing", "value": "yes"}, {"key": "snmp_trap_id", "value": "0"}],
"parentId": {"id": idsID},
"typeId": {"id": 43},
"zoneId": 0
}}

jsonDatarW = json.dumps(datarW)
responsesW = requests.post('https://ashbnitroesm.bah.com/rs/esm/dsAddDataSource', headers=payloadID, data=jsonDatarW, verify=False)
print(responsesW.text)

#adding linux data source.
elif dsType == "linux":
dsNameL = input("Enter the name of the data source you want to create: ")
dsIPL = input("Enter the ip address of the data source you want to create: ")
datarL = {"datasource": {
"name": dsNameL,
"childEnabled": False,
"childCount": 0,
"childType": 1,
"ipAddress": dsIPL,
"url": "",
"enabled": True,
"idmId": 0,
"parameters": [{"key": "parsing", "value": "yes"}],
"parentId": {"id": idsID},
"typeId": {"id": 65},
"zoneId": 0
}}

jsonDatarL = json.dumps(datarL)
responsesL = requests.post('https://ashbnitroesm.bah.com/rs/esm/dsAddDataSource', headers=payloadID, data=jsonDatarL, verify=False)
print(responsesL.text)

#Error message if invalid type of data source is selected.
else:
print("Invalid type of data source. Please rerun the program and enter a valid data source type.")

SwimLane/NITRO Python Script (add devices)

import base64
import requests
import json
from requests import session
import getpass
#This script will add data sources into Nitro. Works with Windows and Linux devices. Can easily be modified to add more types
#By changing the typeId in the script. There's over 500 typeId's though so only add commonly used ones.
#Created by Gil Turner (Turner_Gil@bah.com)

#Gets the a devices unique id a device
def getDSid(dataName):
params = {"types": ["THIRD_PARTY"],"filterByRights" : "false"}
params_json = json.dumps(params)
DeviceTreeURL = "https://ashbnitroesm.bah.com/rs/esm/devGetDeviceList"
response = requests.post(DeviceTreeURL, data=params_json, headers=payloadID, verify=False)
data = response.json()
DSid = ""
for item in data.get('return'):
if item.get('name').lower() == dataName.lower():
DSid = item.get('id').get('id')
return DSid

#username and password hard coded for now so its easier to test
username1 = ""
password1 = ""

#Later will have user login with their creds
username = input("Enter your username: ")
password = getpass.getpass("Enter your password: ")

Authoritize = 'Basic (' + str(base64.b64encode(bytearray(username + ":" + password, 'ascii')), 'ascii') + ')'
payload = {"Authorization": Authoritize}

#Actually will login to nitro with the credientials as well as get the sessionID
res = requests.post('https://ashbnitroesm.bah.com/rs/esm/login', headers=payload, verify=False)
x = res.text.index('sessionID') + 10
id = ""
while res.text[x] != "<":
id += res.text[x]
x = x + 1
#print(id)
payloadID = {"Authorization": "Session " + id}

#user inputted information about the data source they want to add.
dsType = input("Type either windows or linux for the type of device you want to add: ")
dsID = input("Enter either no or the name of the Sub group you want to input the data source. If no is typed, the data source will default to Receiver02: ")
idsID = ""
if dsID == "no":
idsID = 144117387099111424
else:
idsID = getDSid(dsID)

#adding windows data source
if dsType == "windows":
dsNameW = input("Enter the name of the data source you want to create: ")
dsIPW = input("Enter the ip address of the data source you want to create: ")
datarW = {"datasource": {
"name": dsNameW,
"childEnabled": False,
"childCount": 0,
"childType": 1,
"ipAddress": dsIPW,
"url": "",
"enabled": True,
"idmId": 0,
"parameters": [{"key": "collector", "value": "npp"}, {"key": "elm_logging", "value": "no"}, {"key": "encrypt", "value": "F"}, {"key": "keepme", "value": ""}, {"key": "parsing", "value": "yes"}, {"key": "snmp_trap_id", "value": "0"}],
"parentId": {"id": idsID},
"typeId": {"id": 43},
"zoneId": 0
}}

jsonDatarW = json.dumps(datarW)
responsesW = requests.post('https://ashbnitroesm.bah.com/rs/esm/dsAddDataSource', headers=payloadID, data=jsonDatarW, verify=False)
print(responsesW.text)

#adding linux data source.
elif dsType == "linux":
dsNameL = input("Enter the name of the data source you want to create: ")
dsIPL = input("Enter the ip address of the data source you want to create: ")
datarL = {"datasource": {
"name": dsNameL,
"childEnabled": False,
"childCount": 0,
"childType": 1,
"ipAddress": dsIPL,
"url": "",
"enabled": True,
"idmId": 0,
"parameters": [{"key": "parsing", "value": "yes"}],
"parentId": {"id": idsID},
"typeId": {"id": 65},
"zoneId": 0
}}

jsonDatarL = json.dumps(datarL)
responsesL = requests.post('https://ashbnitroesm.bah.com/rs/esm/dsAddDataSource', headers=payloadID, data=jsonDatarL, verify=False)
print(responsesL.text)

#Error message if invalid type of data source is selected.
else:
print("Invalid type of data source. Please rerun the program and enter a valid data source type.")

NITRO (McAfee ESM) API

API commands available for version 9.5.2:

<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>

- <esmCommandList xmlns="http://mcafee.com/siem/api/v3">

- <esmCommand name="alarmAcknowledgeTriggeredAlarm">

<description>Mark a triggered alarm as acknowledged</description>

</esmCommand>

- <esmCommand name="alarmDeleteTriggeredAlarm">

<description>Delete a triggered alarm</description>

</esmCommand>

- <esmCommand name="alarmGetTriggeredAlarms">

<description>Retrieves a list of all alarms that have been triggered, if no user specified, the current user will be used.</description>

</esmCommand>

- <esmCommand name="alarmGetTriggeredAlarmsPaged">

<description>Retrieves a paged list of alarms that have been triggered, if no user specified, the current user will be used.</description>

</esmCommand>

- <esmCommand name="alarmGetUnacknowledgedTriggeredAlarms">

<description>Retrieves a list of alarms that have been triggered and have not been acknowledged</description>

</esmCommand>

- <esmCommand name="alarmUnacknowledgeTriggeredAlarm">

<description>Mark a triggered alarm as unacknowledged</description>

</esmCommand>

- <esmCommand name="caseAddCase">

<description>Add a case to the system.</description>

</esmCommand>

- <esmCommand name="caseEditCase">

<description>Edit an existing case.</description>

</esmCommand>

- <esmCommand name="caseGetCaseDetail">

<description>Get detail on an existing case.</description>

</esmCommand>

- <esmCommand name="caseGetCaseList">

<description>Get a list of cases from the system</description>

</esmCommand>

- <esmCommand name="caseGetCaseStatusList">

<description>Get a list of valid case statuses from the system</description>

</esmCommand>

- <esmCommand name="devGetDeviceList">

<description>Get a list of all devices defined in the system.</description>

</esmCommand>

- <esmCommand name="dsAddDataSource">

<description>Add a data source.</description>

</esmCommand>

- <esmCommand name="dsAddDataSourceList">

<description>Add a list of data sources.</description>

</esmCommand>

- <esmCommand name="dsDeleteDataSource">

<description>Delete a data source.</description>

</esmCommand>

- <esmCommand name="dsEditDataSource">

<description>Edit a data source's properties.</description>

</esmCommand>

- <esmCommand name="dsGetDataSourceDetail">

<description>Get the details for a specifc data sources.</description>

</esmCommand>

- <esmCommand name="dsGetDataSourceList">

<description>Get a list of defined data sources.</description>

</esmCommand>

- <esmCommand name="dsGetDataSourceTypes">

<description>Get all data source types.</description>

</esmCommand>

- <esmCommand name="dsGetUserDefinedDataSources">

<description>Get user defined data sources.</description>

</esmCommand>

- <esmCommand name="dsSetUserDefinedDataSources">

<description>Set user defined data sources.</description>

</esmCommand>

- <esmCommand name="essmgtESSReboot">

<description>Reboots the ESM Device</description>

</esmCommand>

- <esmCommand name="essmgtESSRestart">

<description>Restarts the services on the ESM Device</description>

</esmCommand>

- <esmCommand name="essmgtGetESSTime">

<description>Get the system time of the ESM Device</description>

</esmCommand>

- <esmCommand name="geoGetGeoLocRegionList">

<description>Get the top level geo locations</description>

</esmCommand>

- <esmCommand name="geoGetGeoLocs">

<description>Get geo locations within the given location</description>

</esmCommand>

- <esmCommand name="getActiveResponseCollectors">

<description>Get a list of Active Response Collectors</description>

</esmCommand>

- <esmCommand name="getVersion">

<description>Get the version information for this ESM</description>

</esmCommand>

- <esmCommand name="grpGetDeviceTree">

<description>Gets the basic device tree structure with only basic properties loaded. Each entry in the returned list is a root node in the tree.</description>

</esmCommand>

- <esmCommand name="grpGetDeviceTreeEx">

<description>This version of the call returns more detail per device than getDeviceList, wrapped in an esmDeviceList object.</description>

</esmCommand>

- <esmCommand name="plcyGetPolicyList">

<description>Get the list of all policies defined in the ESM.</description>

</esmCommand>

- <esmCommand name="plcyGetVariableList">

<description>Get all variables defined in the system</description>

</esmCommand>

- <esmCommand name="qryClose">

<description>Closes the query results, must be called after a query's results have been processed. If no exception is thrown, the close operation completed normally.</description>

</esmCommand>

- <esmCommand name="qryExecuteDetail">

<description>Execute a standard detail (non-grouped) query.</description>

</esmCommand>

- <esmCommand name="qryExecuteGrouped">

<description>Execute a grouped query on a field.</description>

</esmCommand>

- <esmCommand name="qryGetCorrEventDataForID">

<description>Get the source events and flows for a given correlated event ID</description>

</esmCommand>

- <esmCommand name="qryGetFilterFields">

<description>Get all fields that can be used in query filters, with type information for each field.</description>

</esmCommand>

- <esmCommand name="qryGetResults">

<description>Get the results for a query.</description>

</esmCommand>

- <esmCommand name="qryGetSelectFields">

<description>Get the fields available for selecting in queries. The groupType can be used to filter the fields to only ones that can be used to group results in a particular way. For example, if you want all fields that can be grouped to count the number of events per group, the groupType should be COUNT. If not provided, it is equivalent to passing NO_GROUP which returns all available select fields regardless of whether they can be used in grouped queries. This is useful for getting available fields for detail queries. (qryExecuteDetail)</description>

</esmCommand>

- <esmCommand name="qryGetStatus">

<description>Get the status for a query that has been executed.</description>

</esmCommand>

- <esmCommand name="runActiveResponseSearch">

<description>Execute a ActiveResponse search and return the results</description>

</esmCommand>

- <esmCommand name="sysAddWatchlist">

<description>Add a watchlist to the system.</description>

</esmCommand>

- <esmCommand name="sysAddWatchlistValues">

<description>Add values to a watchlist. This call is not supported for hidden watchlists, for example GTI.</description>

</esmCommand>

- <esmCommand name="sysEditWatchlist">

<description>Edit properties of a watchlist. (Watchlist Type will not be modified) This call is not supported for hidden watchlists, for example GTI.</description>

</esmCommand>

- <esmCommand name="sysGetWatchlistDetails">

<description>Get detailed information about a watchlist.</description>

</esmCommand>

- <esmCommand name="sysGetWatchlistFields">

<description>Get watchlist fields/types.</description>

</esmCommand>

- <esmCommand name="sysGetWatchlists">

<description>Return basic information on all watchlists in the system</description>

</esmCommand>

- <esmCommand name="sysGetWatchlistValues">

<description>Read the content of a watchlist value file. Note that the EsmFileData object will contain information on how many bytes were read, as well as the total size of the file. The size of the data returned may be less than count, depending on the amount of file data available. Note that the watchlist file property on EsmWatchlistDetails is used as a parameter to this call. The file will contain the values as they existed when the call to sysGetWatchlistDetails was made. If subsequent changes were made to the watchlist after getting the details, another EsmWatchlistDetails object should be obtained by calling sysGetWatchlistDetails before using its EsmWatchlistFile object to retrieve the updated list of watchlist values. This call is not supported for hidden watchlists, for example GTI.</description> </esmCommand>

- <esmCommand name="sysRemoveWatchlist">

<description>Remove a watchlist from the system. This call is not supported for hidden watchlists, for example GTI.</description>

</esmCommand>

- <esmCommand name="sysRemoveWatchlistValues">

<description>Remove values from a watchlist. This call is not supported for hidden watchlists, for example GTI.</description>

</esmCommand>

- <esmCommand name="userAddAccessGroup">

<description>Add an access group</description>

</esmCommand>

- <esmCommand name="userAddUser">

<description>Add a user to the system.</description>

</esmCommand>

- <esmCommand name="userDeleteAccessGroup">

<description>Delete an access group.</description>

</esmCommand>

- <esmCommand name="userDeleteUser">

<description>Delete a user from the system.</description>

</esmCommand>

- <esmCommand name="userEditAccessGroup">

<description>Edit properties of an access group.</description>

</esmCommand>

- <esmCommand name="userEditUser">

<description>Used by the master user to update information about another user.</description>

</esmCommand>

- <esmCommand name="userGetAccessGroupDetail">

<description>Get extended information about an access group.</description>

</esmCommand>

- <esmCommand name="userGetAccessGroupList">

<description>Get all user access groups defined in the system.</description>

</esmCommand>

- <esmCommand name="userGetRightsList">

<description>Get all rights defined in the system.</description>

</esmCommand>

- <esmCommand name="userGetTimeZones">

<description>Get a list of timezones this system recognizes</description>

</esmCommand>

- <esmCommand name="userGetUserList">

<description>Get a list of all users.</description>

</esmCommand>

- <esmCommand name="userGetUserRights">

<description>Get all rights defined for the current user.</description>

</esmCommand>

- <esmCommand name="userLogin">

<description>Log into the SIEM with the given username and password.</description>

</esmCommand>

- <esmCommand name="userLogout">

<description>Log the user out of their SIEM session</description>

</esmCommand>

- <esmCommand name="zoneAddSubZone">

<description>Add a new subzone under a zone</description>

</esmCommand>

- <esmCommand name="zoneAddZone">

<description>Create a new zone.</description>

</esmCommand>

- <esmCommand name="zoneDeleteSubZone">

<description>Delete the sub zone</description>

</esmCommand>

- <esmCommand name="zoneDeleteZone">

<description>Delete the zone</description>

</esmCommand>

- <esmCommand name="zoneEditSubZone">

<description>Edit the given sub zone. Note that ID must be set to an existing sub zone for this to work properly. The ID value will be set if the zone was gotten from zoneGetSubZone().</description>

</esmCommand>

- <esmCommand name="zoneEditZone">

<description>Edit the given zone. Note that ID must be set to an existing zone for this to work properly. The ID value will be set if the zone was gotten from zoneGetZone().</description>

</esmCommand>

- <esmCommand name="zoneGetSubZone">

<description>Get detailed information on a sub zone</description>

</esmCommand>

- <esmCommand name="zoneGetZone">

<description>Get extended detail on a zone.</description>

</esmCommand>

- <esmCommand name="zoneGetZoneTree">

<description>Get the full tree of zones defined in the ESM.</description>

</esmCommand>

</esmCommandList>

NITRO (McAfee ESM) Commands

<<9_1_0McAfeeESMIUsersGuide.pdf>>

McAfee SIEM: CLI Reference

Commands
Restart ESM
# service cpservice stop
# service cpservice start
Restart APM
# /etc/init.d/apm stop
# /etc/init.d/apm start
# NitroStop --nod (no daemon)
# NitroStart --nod (no daemon)
View ESM DB Errors
tailf /usr/local/ess/data/NitroError.Log
less /usr/local/ess/data/NitroError.Log (Use ‘q’ to exit the text editor)
View Rebuild Status of DB Partitions (in addition to ESM System Properties page)
# /data_hd/usr/local/ess/data/watch –d ‘ls –lia X’
Viewing Sort Files created by ESM (too large can create slowdowns)
# /data_hd/usr/local/ess/data/du –ch SRT
Retrieve APM Crash Logs Location
# /var/log/ice/crash.log
Retrieve Health Status on SIEM device
# cat /var/lib/HealthStatus.data (tac for newest first, cat for oldest first)
Gather appliance resource information
# grep Resource /var/log/messages
Check Event Receiver for Restart Events
cat /var/log/messages* \| grep -i "starting ERC" (tac for newest first, cat for oldest first)
less /var/log/messages (type ‘q’ to exit the editor, “Shift + g” to get to the end of the file)
Check upgrade history
# cat /etc/upgrade.history (tac for newest first, cat for oldest first)
Zip Messages Log
# cd /var/log
# tar –czvf messages.tgz messages*
Checking RAID drives (from /opt/MegaRAID/MegaCli/)
#./MegaCli64 -ldinfo -l0 -a0
#./MegaCli64 -ldinfo –l1 -a0
#./MegaCli64 -pdlist -a0
Most helping CPU processes view
# ps -ejH (shows processes and threads)
# ps -C commandname (search like "ps \| grep")# ps -auxf (most details)
# ps -ax (all processes)
View the Build Version of the McAfee Software on the appliance
# cat /etc/buildstamp
View the build version of the Linux OS
# cat /proc/version
Check Disk Space – General
# df –h (to show space by drive) or du –h (to show space by folder)
Check if logs are being sent to a receiver
# tcpdump –nni eth1 host 10.x.x.x
Check multiple hosts
# tcpdump –nni eth1 ‘(host 10.x.x.x or host 10.y.y.y)’
Finding the largest file on a system
Use the du command to find out how much data is in each directory.
# du -hc --max-depth=1
This will return the base level directories with the size.
NOTE: is best to start in the "/" directory.
The following command will limit the results to only the Gigabyte size directories:
# du -hc --max-depth=1 \| grep G
You can continue to use these commands as you drill down in the directories to find the directory that contains the largest amount of data.
Check the disk utilization
Sar –d 1 10
Checks disk utilization every second over 10 seconds
TCP dump commands when you do not see the expected DBM data
# ifconfig -a (determines which eth port DB traffic is being sent to)
# tcpdump -s0 -ieth3 -wfile1.pcap host 1.2.3.4 and port 1433 (dump file will be called file1.pcap in the current directory)
Run the dump for 30, and then press CTRL+C to escape out. Check the file size and repeat. Generally a few hundred MBs worth of files should be good if you see the expected DB traffic in the tcpdump.
To check for vlan tagging
# tcpdump -s0 -ieth3 -wfile1.pcap vlan # host 10.x.x.x and port 1433 (optional to leave the tag number, for example 130, off if unknown).
# tcpdump -s0 -nnvXi eth1 vlan # and host 172.x.x.x and port 1433 (with vlan tag and shows packet contents in list form) # tcpdump -A -nni eth1 host 10.182.101.20 -vvv (show packets in ASCII)
# tcpdump -s0 -nnvXi eth1 -wfile3.pcap vlan # and host 172.x.x.x and port 1433 (with vlan tag and saves tcpdump to pcap file)
Find all Receiver database index files
# ls /var/log/data/inline/
Track Receiver database index progress
# tailf /var/log/data/inline/NitroError.Log
Restarting collectors / parsers on a Receiver
# killall collectorsctl filterctl parsersctl
# /etc/init.d/nitrodbserver restart
# collectorsctl -- +laux
# filterctl -- +laux
# parsersctl -- +laux
Restarting WMI collector / parser only
# killall -9 wmin
# killall -9 wmip
Run checksum on install file
# sha1sum <filename>
Check DAS Virtual Drive Information from ESM or ELM
Watch –d megacli –ldinfo –l0 –a0
“Ctrl + C” to exit
Check DAS Drive Status
megacli -pdlist -a0 \| grep Firmware
Check the Controller, RAID, and Drive Status on ESM
Show the Controller:
# tw_cli show
Show the Status of the RAID/Drives
# tw_cli show c# (# shown using show command – c2 for ESM’s, c0 on 2250 Receivers and APM)
Show individual drive status
# tw_cli info c2 p# (# drive number)
Show individual drive serial number
# tw_cli info c2 p# serial (# drive number)
Check HA or Cluster Status on Receiver or ESM
# ha_status
# crm status
Check agent logs status on Receiver
# tailf /var/log/NPP_c.log
# tailf /var/log/NPP_p.log
Finding and viewing raw logs in stored text file on Receiver (example)
# tail –n 1000 /var/log/NPP_c.log \| grep 10.198.12.73
Results: NPP_c[18094]: Got a connection from client IP addr: 10.198.12.73, id = 105
Find the ID of the host and use on the next command to find files to search
# ls /var/log/data/inline/thirdparty.logs/105/in/
# cat /var/log/data/inline/thirdparty.logs/105/in/data.20121115161524000
View ESM DB partitions
# !nsq (shortcut command which will launch the nsql command below – if in the correct directory)
# nsql /usr/local/ess/data/connect_esm.sql (To exit the nsql editor type ‘x’ or ‘exit’ and <enter>)
(Attached = Good, Detached = Call Support, Bad = Awaiting Rebuild)
To view Event data
show partitions from alert
To view Flow data
show partitions from connection
To view Appliance Packet data
Show partitions from packet
View record counts in DB
# nsql /usr/local/ess/data/connect_esm.sql (To exit the nsql editor type ‘x’ or ‘exit’ and <enter>)
To view event data
select count(*) from alert
To view flow data
select count(*) from connection
To view Appliance Packet data
select count(*) from packet
View Event data on a receiver
# nsql /var/log/data/inline/connect.sql (Launch this command when ssh in to a receiver)
To view Event data
show partitions from event
To get the clutter off of the SSH session and your prompt back to the top of the screen (does not remove scroll back data on screen)
clear
Article for rekeying a SIEM Appliance
# cd /root/.ssh
# cat /etc/NitroGuard/factory-id_rsa.pub >authorized_keys2
Wiping Receiver Data Sources and log files
# rm /etc/NitroGuard/thirdparty..
# rm /var/log/data/inline/thirdparty.logs/(1* thru 9*)
# rm /var/log/data/inline/thirdparty.logs/elm.logs/(1* thru 9*)
# rm /var/log/data/inline/thirdparty.logs/elm.logs/tmp/(1* thru 9*)
ESM Related
Quickest running filters – Very Important!!!!
There are combinations of filters that are specifically tuned to run more quickly. These combinations have been defined by users who frequently use the filters for quickly drilling down to specific events.
Signature ID + Event Subtype + Protocol
Signature ID + Source IP
Signature ID + Destination IP
Source IP + Destination IP
Additional Enhancements since 8.x:
Normalization ID + Source IP
Normalization ID + Destination IP
Normalization ID + Event Subtype
Normalization ID + Protocol
Normalization ID + Signature ID
Source Zone + Destination Zone
Directory Related
ESM & Receiver Software File Location (for upgrades)
/usr/local/ess/SoftwareUpdates/
/usr/local/NitroGuard
ESM Software File Locations Archives
/usr/local/ess/update/archive/
ESM Default Backup Location
/db1/usr/local/ess/dbbackup/
ESM DB Blob & Index Location
/data_hd/usr/local/ess/data/
ESM Index HD Location (Most recent data)
/index_hd/usr/local/ess/data/
ESM Redundant File Copy Location (For Alert, Connection, and Log files)
/usr/local/ess/dbredund
Commands: McAfee-ETM-6000 ~ # less /usr/local/ess/data/NitroError.Log McAfee-ETM-6000 ~ # service cpservice stop tailf /var/log/messages - Watch what's happening Tcpdump -nni eth0 host <ipaddress of host you want to get a dump from> -vvv -w <path to write dump> NitroTID - get database troubleshooting information Indications that database needs to be rebuilt: 2014/04/09 21:43:01.429 Error 132 opening table with field Alert.ALERTTIM(partition 2406)(data count = 77427336, index count = 77427320) Index count does not match record count Rebuild Database index: McAfee-ETM-6000 ~ # cd /usr/local/ess/data McAfee-ETM-6000 /usr/local/ess/data # mkdir copy_ngcp McAfee-ETM-6000 /usr/local/ess/data # cp ngcp.cfg copy_ngcp McAfee-ETM-6000 /usr/local/ess/data # cp ngcp.cfd copy_ngcp McAfee-ETM-6000 /usr/local/ess/data # cd copy_ngcp/ McAfee-ETM-6000 /usr/local/ess/data/copy_ngcp # ls ngcp.cfd ngcp.cfg McAfee-ETM-6000 /usr/local/ess/data/copy_ngcp # cd ../ McAfee-ETM-6000 /usr/local/ess/data # rm ngcp.cfg McAfee-ETM-6000 /usr/local/ess/data # rm ngcp.cfd McAfee-ETM-6000 /usr/local/ess/data # ls Check Database: McAfee-ETM-6000 ~ # service cpservice stop Stopping ESS cpservice [ OK ] McAfee-ETM-6000 ~ # DBCheck -d '/usr/local/ess/data/ngcp.dfl' -p 'LOCDB327\|CPDB126' -t '!Alert\|!Connection\|!Log\|!Packet\|!stringmap' -r McAfee-ETM-6000 ~ # DBCheck -d '/usr/local/ess/data/ngcp.dfl' -p 'LOCDB327\|CPDB126' -t -c Option at position 5 needs an argument : t McAfee-ETM-6000 ~ # DBCheck -d '/usr/local/ess/data/ngcp.dfl' -p 'LOCDB327\|CPDB126' -c DBCheck -d '/usr/local/ess/data/ngcp.dfl' -p 'LOCDB327\|CPDB126' -c \| grep Not
Check database health: Cd /usr/local/ess/data DBCheck -d ngcp.dfl -c \| grep not
Check Syslog for Raid errors: Cd /usr/local/ess/data Dmesg \| grep RAID
Display Raid Status Cd /usr/local/ess/data MegaCli64 -CfgDsply -aAll \| grep fail or grep down	Use grep for "downgraded, or fail"which will indicate raid issues

From <http://joleyexchangeserver.blogspot.com/2014/06/mcafee-siem-cli-reference.html>