Acknowledging events in Cascade Profiler via the command line

To check how many events have not been acknowledged via the command line, there’s an SQL query that can be run. You’ll need to login as the mazu user to your profiler and run the command.

psql mazu postgres -c “query goes here”

The field we’re looking for is called _ack_ and is in either of the events tables. The current events are _events.currentsummary and completed ones are _events.oldsummary.

To get the number of open, un-acknowledged events, the command is as follows:

psql mazu postgres -c “SELECT COUNT(*) FROM _events.currentsummary WHERE ack = false

This will return a number, if you want to get the items themselves, change COUNT(*) to just *.

You’ll probably get quite a few, here’s an example of a single line:

eid | type | ipaddr_a | ipaddr_b | macaddr_a | macaddr_b | start_time | end_time | severity | trap_sent | email_sent | alert_level | threshold_id | equivalence |

top_ports | top_apps | stealthy | ack | vscan_run | interface

——-+———-+————-+—————-+———-+——————-+————+————+———-+———-+————+————-+————-+————-+——————-

———————————————————————————————————+———-+———-+—-+———-+———-

475064 | 2 | 10.2.236.42 | 255.255.255.255 | | ff:ff:ff:ff:ff:ff | 1367989200 | 1367998421 | 100 | f | f | 3 | 3 | 3 | #cascade #Riverbed Cascade #Riverbed Profiler #scripting #Work