Products | Versions |
---|---|
TIBCO LogLogic Security Event Manager | 2.7.0.1 |
- pre-correlation.rules.xml
- aggregation.rules.xml
- post-correlation.rules.xml
The XML files mentioned above are saved in this folder:
/home/exaprotect/conf/INSTANCENAME
When any one of these types of rules (pre-correlation or aggregation or post-correlation) is modified and the change is saved, the server will execute the following actions:
1. The active file is saved with a .old extension. The pre-existing .old file is deleted so that only one .old file exists.
2. The correlation or aggregation rules (with modifications) are saved in the XML file with the regular name and the xml extension.
Example:
[root@exabench1 EXABENCH1]# ll *.xml*
-rw-r--r-- 1 exaprotect exaprotect 65106 Jul 27 11:34 aggregation.rules.xml
-rw-r--r-- 1 exaprotect exaprotect 65106 Jul 27 11:34 aggregation.rules.xml.old
If one aggregation rule is modified and the change is saved then the directory listing looks like this:
[root@exabench1 EXABENCH1]# ll *.xml*
-rw-r--r-- 1 exaprotect exaprotect 65240 Aug 2 16:41 aggregation.rules.xml
-rw-r--r-- 1 exaprotect exaprotect 65106 Jul 27 11:34 aggregation.rules.xml.old
If another aggregation rule is modified then the listing looks like this after the change is saved:
[root@exabench1 EXABENCH1]# ll *.xml*
-rw-r--r-- 1 exaprotect exaprotect 65288 Aug 2 16:45 aggregation.rules.xml
-rw-r--r-- 1 exaprotect exaprotect 65240 Aug 2 16:41 aggregation.rules.xml.old
As can be seen, the file with size 65240 is renamed to have a .old extension and the updated XML file uses the non-old extension.