To check how many events have not been acknowledged via the command line, there’s an SQL query that can be run. You’ll need to login as the mazu user to your profiler and run the command.
psql mazu postgres -c “query goes here”
The field we’re looking for is called ack and is in either of the events tables. The current events are events.current_summary and completed ones are events.old_summary.
To get the number of open, un-acknowledged events, the command is as follows:
psql mazu postgres -c “SELECT COUNT(*) FROM events.current_summary WHERE ack = false“
This will return a number, if you want to get the items themselves, change COUNT(*) to just *.
You’ll probably get quite a few, here’s an example of a single line:
eid | type | ipaddr_a | ipaddr_b | macaddr_a | macaddr_b | start_time | end_time | severity | trap_sent | email_sent | alert_level | threshold_id | equivalence |
top_ports | top_apps | stealthy | ack | vscan_run | interface
——-+———-+————-+—————-+———-+——————-+————+————+———-+———-+————+————-+————-+————-+——————-
———————————————————————————————————+———-+———-+—-+———-+———-
475064 | 2 | 10.2.236.42 | 255.255.255.255 | | ff:ff:ff:ff:ff:ff | 1367989200 | 1367998421 | 100 | f | f | 3 | 3 | 3 | <portapp port=‘icmp/2048′ app=” /><portapp port=‘icmp/0′ app=” />
To limit your list of responses to 10 add ” limit 10″ (without the additional quotes) to the query. For example:
psql mazu postgres -c “SELECT * FROM events.current_summary WHERE ack = false limit 10“
To clear an unacknowledged event, use the mazu-handler command to do a single one (eid 3 in this case):
mazu-handler -c manager write ack_flag 3
Since you’re here for a large amount of these, it’s much easier to do it automatically:
psql mazu postgres -t -c “SELECT eid FROM events.current_summary WHERE ack = false” | xargs -I {} mazu-handler -c manager write ack_flag {}
This queries the current events, returns only the eid (the -t option removes all formatting) and pipes it into the mazu-handler command via xargs. Be sure to use a capital I as the first flag given to xargs, this is to replace {} with what was handed through the pipe. I initially thought it was a lower case L.