Environment
SM 6.0 SP2, SP3, SP4
SM 6.5
Situation
Resolution
To call the forensic.xml template from the database, you can use the following procedure.
- Login to a Server or Workstation that has the Security Manager Control Center installed.
- Enable debugging on the Control Center by editing the following file:
%INSTALLPATH%\NetIQ Security Manager\Control Center\NQConsole.exe.config
- On line 24 of this file you will see this line:
<level value="INFO" />
Change: "INFO" To: "DEBUG"
- Save the NQConsole.exe.config.
- Open the Security Manager Control Center.
- In the Navigation pane, click on Forensic Analysis.
- Click on My Queries. Select a query in the center pane and edit it.
- Forensic.xml will be created in the following location on the User Interface Computer:
C:\Documents and Settings\%useraccount%\Local Settings\Application Data\NetIQ\Security Manager\Forensics.xml
- Copy Forensics.xml and rename it to CustomForensics.xml.
- Move to CustomForensics.xml to the following location:
%INSTALLPATH%\NetIQ Security Manager\OnePoint\VSOC\config\
- Disable debugging on the Control Center by editing the following file:
%INSTALLPATH%\NetIQ Security Manager\Control Center\NQConsole.exe.config
- On line 24 of this file you will see this line:
<level value="DEBUG" />
Change: "DEBUG" To: "INFO"
- Save the NQConsole.exe.config.
You can now use the CustomForensics.xml to setup forensic queries on a custom provider.
Cause
The Forensics.xml file did not always reflect all updates under some upgrade and naming conditions and is no longer used, because of this the forensic.xml no longer gets created in SM 6.0 SP2.The report template information is now stored and retrieved only from the OnePoint database to prevent any upgrade issues.