Symantec SIM Command Line DB2 Backups

As db2admin:

#/opt/Symantec/simserver/simdbmu/bin/simbackup.sh full ONLINE

Symantec SIM - High Availibility - Restoring Incidents

The following is not supported by Symantec. Modify at your own risk:

In the event of a catastrophic failure on a SSIM correlation device, we need to be able to restore the incidents on a secondary backup SSIM. DB2 restore in the web console effectively restores the incidents, however if you were to attempt to drill down into the incidents to pull up additional information on specific events, it will still reference the archive on the failed SSIM. We need to be able to reference the new archive on the secondary SSIM.


Events stored in /eventarchive are regularly backed up to an external storage device. These events will be transferred to the secondary backup SSIM in case the primary SSIM fails. Thus the filenames stored in /eventarchive will be identical.

To re-point the incidents to the new archive, a new unique archive ID needs to be generated, and the incidents need to point to the new archive ID. You cannot have two archives with the same ID even if they are on different correlation managers.

The incidents reference the event archive via a hex encoded value.

Issue following query as db2admin:

$ db2 connect to sesa

$ db2 -x "SELECT SESA_GUID FROM symcmgmt.symc_imr_associated_event_view"

Example output:

638a:20100318103824:700001

The first item 638a before the colon references the unique archive ID. This needs to be changed to the new archive ID of the secondary backup SSIM.

Symantec Security Information Manager (SSIM) LDAP Mods

Symantec does not recommend customizing the LDAP tree. It is not included in Symantec's Technical Support contract.

However, I find there are a slew of things you customize which are nice features that I wish Symantec included. For example automating updates to user look up tables, auto-import of users, failover settings, etc. These attributes are all stored in the LDAP tree.

Mod at your own risk:

Connection information:

Port 636 (SSL)

Protocol LDAP v3

USERID=Administrator,ou=People,DC=[your_domain],O=SYMC_SES

LDAP Search using objectClass=* as a filter locally on the SSIM:

$ldapsearch -h localhost -Z -K /etc/symantec/ses/key.kdb -b "o=symc_ses" -D 'USERID=Administrator,ou=People,DC=[your_domain],O=SYMC_SES' -w [admin_password]" "objectClass=*"

Jxplorer is a nice tool for LDAP browsing SSIM. You may see some fields storing XML (for example symcMetaData for the userlook up tables). These fields need to be base64 encoded prior to setting the attribute.

Modifying look up tables for example:

ldapsearch -h localhost -Z -K /etc/symantec/ses/key.kdb -b "cn=Lookup Tables,cn=Rule Engine,cn=SIM,ou=Administration,dc=[DOMAIN],o=symc_ses" -D 'USERID=Administrator,ou=People,DC=[DOMAIN],O=SYMC_SES' -w [PASSWORD] "dlmCaption=[TABLE_NAME]"

This is the ldif I am importing:

dn: orderedCimKeys=Symc_Setting.SettingID\=[TABLE_NAME],cn=Lookup Tables,cn =Rule Engine,cn=SIM,ou=Administration,dc=[DOMAIN],o=symc_ses changetype: modify replace: cisProperty cisProperty:: JXR5cGVzLHRleHQsdGV4dCx0ZXh0DQolbmFtZXMsIlVzZXJuYW1lIiwiRmlyc3RuYW1lIiwiTGFz dG5hbWUiDQoNCiJzcG9uZ2Vib2IiLCJzcG9uZ2Vib2JmaXJzdG5hbWUiLCJzcG9uZ2Vib2JsYXN0 bmFtZSINCiJwYXRyaWNrIiwicGF0cmlja2ZpcnN0IiwicGF0cmlja2xhc3QiDQoicGF0cmljazIi LCJwYXRyaWNrZmlyc3QyIiwicGF0cmlja2xhc3QyIg0KInBhdHJpY2szIiwicGF0cmlja2ZpcnN0 MyIsInBhdHJpY2tsYXN0MyI=  -

To get the resulting table:

%types,text,text,text  %names,"Username","Firstname","Lastname"  "spongebob","spongebobfirstname","spongeboblastname"  "patrick","patrickfirst","patricklast"  "patrick2","patrickfirst2","patricklast2"  "patrick3","patrickfirst3","patricklast3"

You also need to modify the LDAP attribute symcSequenceRevision with an updated timestamp. This time stamp is in Zulu time format. If you do not update this, then the table will not be updated.