Cisco Cisco Firepower Management Center 2000 Entwickleranleitung
2-15
FireSIGHT System Database Access Guide
Chapter 2 Setting Up Database Access
Querying the Database
LIMIT 0, 25;
Keep in mind that all times in the database are in UTC. Although the
CONVERT_TZ()
function is allowed,
it only provides results in UTC.
Note that some events have microsecond resolution associated with them. Use the
CONCAT()
and
LPAD()
functions to concatenate the UNIX timestamp and the microsecond increment. For example, the
following statement queries the
following statement queries the
intrusion_event
table:
SELECT CONCAT(FROM_UNIXTIME(event_time_sec)), '.', LPAD (event_time_usec, 6, '0')),
HEX(host_id),
rule_message
FROM intrusion_event
LIMIT 0, 25;
To query the database for events with a particular UNIX timestamp, use the
UNIX_TIMESTAMP()
function.
Limiting Queries for Performance Reasons
Although the system limits the joins you can perform on Cisco database tables, it does still allow some
expensive queries - queries that may negatively impact the performance of your Defense Center.
expensive queries - queries that may negatively impact the performance of your Defense Center.
Therefore, you should try to limit the result set for large tables. Strategies include:
•
constraining queries to a specific time range
•
constraining queries by IP address
•
using the
LIMIT
clause
Depending on your deployment, querying many tables may require a limited result set. In particular, the
following tables can contain up to 100 million events on a DC3000:
following tables can contain up to 100 million events on a DC3000:
•
fireamp_event
•
intrusion_event
•
intrusion_event_packet
•
connection_log
(pre-Version 5.0 name:
rna_flow
)
•
connection_summary
(pre-Version 5.0 name:
rna_flow_summary
)
Queries on network map tables may also be expensive, depending on the number of hosts the system has
detected on your monitored network.
detected on your monitored network.
Query Tips
The following sections provide tips on ensuring unique results when you build queries that include
detection engines or intrusion events.
detection engines or intrusion events.
Device Names
Device names are not necessarily unique across multiple Defense Centers. To ensure uniqueness,
include a specific device UUID in your query.
include a specific device UUID in your query.