How to use simsar.jar to export SSIM events.
search cancel

How to use simsar.jar to export SSIM events.

book

Article ID: 177195

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction

I need information on how to use the CLI Archive Tool

Resolution

You can run simsar.jar from the /opt/Symantec/simserver/lib directory using the following command line options.

# java -jar simsar.jar -h

Symantec Security Events Archive v3.00.0304

Copyright (c) 2010 Symantec Corporation. All rights reserved.

 

Usage: java [Java options] -jar simsar.jar [options]

 

Command line options:

  -h                    Print this help message and exit.

  -V                    Be extra verbose; shows more information about actions

                        program is taking.

  -a  <archive>         Input archive folder (required).

  -o  <folder>          Specify where to place generated output archive.

  -i  <file>            Specify alternate indexed event fields file.

  -r  <file>            Redirect stdout to a file.

  -l  <limit>           Limit the maximum number of unique values for Top-N query (1,048,576)

  -m  <size>            Specify maximum output archive file (.sar) size in MB

                        Valid range: 1 to 2000, default = 250MB.

  -s                    Specify archive start time (format: MM/dd/yy HH:mm:ss z)

                        e.g. '09/13/06 19:18:00 PST'.

  -e                    Specify archive end time (format: MM/dd/yy HH:mm:ss z)

                        e.g. '09/14/06 12:24:05 PST'.

  -v <level>            Specify verbose level for events printed on stdout.

                          0 - raw event field only

                          1 - all event fields (default)

  -t                    Create event-time index (.edx) file(s).

  -E                    Enable event-time search.

  -c                    Specify comma separated values (csv) output.

  -S <separator>        Specify field separator for events printed on stdout.

                        For example:

                          "n"   - new line (default)

                          "t"   - tab

                          ","   - comma

                          ";"   - semicolon

                          "|"   - vertical bar

                          "|-|" - string separator

  -C <file>             Specify Columns (fields) for events printed on stdout.

                        If not specified then all fields are exported.

  -N <N>                Specify the number of events to export.

  -g <guids>            Specify a comma separated list of event guids to export.

  -G <filename>         Specify filename containing a list of guids to export.

  -n <field>            Specify Top-N field name.

 

  -f                    Specify boolean filter expression.

 

  -q                    Specify boolean search expression (query). Supported

                        operations:

                          logical: & and |

                          relational: <, <=, >, >=, =, !=, ~ (like),

                                      !~ (not-like)

                        Comparisons can be made against string or integer

                        literals only. All string literals must be put inside

                        double quotes ("). The 'null' literal is reserved

                        keyword that can be used to determine whether a value

                        is null.

 

Examples:

  Find and print events where the <machine> field contains 'test':

    java -jar simsar.jar -a /eventarchive/default/2008/02 -q 'machine ~ "test"'

 

  Export the first 100 events to a CSV file:

    java -jar simsar.jar -a /eventarchive -N 100 -c -S "," -r events.csv

 

  Create a new archive with events where destination_ip field is equal to

  192.168.1.1 and destination_port is equal to 80 or 8080:

    java -jar simsar.jar -a /eventarchive/default -o /tmp/archive -q 'destination_ip ="192.168.1.1" & (destination_port = 80 | destination_port = 8080)'

 

  Print raw event data of the events where destination_ip field is equal to

  192.168.1.1 and destination_port is less or equal to 1024:

    java -jar simsar.jar -a /eventarchive/default -q 'destination_ip ="192.168.1.1" & destination_port <= 1024' -v 0

 

Notes:

  For best performance use the following Java options:

    -server -Xmx512m -XX:+UseConcMarkSweepGC