sonar-set-ip-address

Batch-inserts or updates IP addresses and specified field values from input records in the asset IP database. Existing IP addresses are updated with values from input records; IP addresses that are not yet registered are created.

Command properties

ItemDescription
Command typeTransforming
Required permissionAdministrator
License usageN/A
Parallel executionNot supported
Distributed executionRuns on Control Node (reducer)

Syntax

sonar-set-ip-address fields=STR [batchsize=INT] [company=STR]

Options

fields=FIELDS
List of fields to be synchronized, separated by a comma with a following space. See the Input Fields below for a detailed description.
Input Fields
FieldNameTypeLengthDescription
site_guidSite GUIDString GUID of the site object
priorityPriorityString Priority level (low, medium, high)
category_nameDevice typeString255 char.Uncategorized if names are not matched
hostnameHost nameString255 char.Computer name or host name
workgroupWork groupString255 char.NT domain or work group
emp_keyAdmin(MAIN) employee keyString255 char.Input ignored if keys not matched
emp_key2Admin(SUB) employee keyString255 char.Input ignored if keys not matched
descriptionDescriptionString2000 char.
os_nameOSString50 char.
os_verOS versionString20 char.
macMAC addressString20 char.
locationInstall locationString255 char.
installedInstall dateDate
ext0Extended field #0String255 char.
ext1Extended field #1String255 char.
ext2Extended field #2String255 char.
ext3Extended field #3String255 char.
ext4Extended field #4String255 char.
ext5Extended field #5String255 char.
ext6Extended field #6String255 char.
ext7Extended field #7String255 char.
ext8Extended field #8String255 char.
ext9Extended field #9String255 char.
confidentialityConfidentialityString Confidentiality level (low, medium, high)
integrityIntegrityString Integrity level (low, medium, high)
availabilityAvailabilityString Availability level (low, medium, high)
  • category_name: The device type is labeled as 'Uncategorized' if the device type value from the input record does not match the device type value in the database.
  • emp_key, emp_key2: The input is ignored if the employee key value in the input record does not match the employee key value in the database.
  • priority and confidentiality, integrity, availability (CIA) fields are mutually exclusive:

    • When using priority, CIA fields cannot be used.

    • When using CIA fields, all three must be specified. Specifying only one or two will result in an error.

    • When CIA fields are used, priority is automatically calculated based on the following criteria:

      • Sum > 7 → High (3)
      • Sum > 4 → Medium (2)
      • Sum ≤ 4 → Low (1)
      Tip
      You can customize the IP asset database by applying global setting on sonar as follows:
      logpresso> sonar.setGlobalOption ip_custom_fields "0=Manufacturer,1=Model name"
batchsize=INT
Batch unit size for inserting IP addresses. Specify a value in the range 1–5,000. For large-scale IP synchronization, increasing the batch size reduces the number of transactions and improves performance. However, if an error occurs, the entire batch fails to synchronize. (Default: 1)
company=STR
GUID of the target company to insert asset IPs into. If not specified, the current session's company is used.
Note
The system account does not belong to any company. Queries running with system account privileges must explicitly specify the target company using this option.

Input fields

FieldTypeRequiredDescription
ipstring, ipaddrRequiredIP address. Both string and IP address types are accepted.
priorityintegerOptionalPriority level. 1 (Low), 2 (Medium), 3 (High)
category_namestringOptionalDevice category name. Treated as uncategorized if not found in the internal category list.
hostnamestringOptionalHost name (max 255 characters)
workgroupstringOptionalNT domain or workgroup (max 255 characters)
emp_keystringOptionalPrimary contact employee ID (max 255 characters). Ignored if not found in the employee table.
emp_key2stringOptionalSecondary contact employee ID (max 255 characters). Ignored if not found in the employee table.
descriptionstringOptionalNotes (max 2,000 characters)
os_namestringOptionalOperating system name (max 50 characters)
os_verstringOptionalOperating system version (max 20 characters)
macstringOptionalMAC address (max 20 characters)
locationstringOptionalInstallation location (max 255 characters)
installedtimestampOptionalInstallation date and time
site_guidstringOptionalSite GUID
ext0 ~ ext9stringOptionalExtended fields (max 255 characters each)

Output fields

FieldTypeDescription
_errorstringError detail. ip is null if the ip field is null; invalid ip if the IP format is invalid.

All fields from the input record are output unchanged. The _error field is added only for records where an error occurred.

Error codes

Parse errors
Error codeMessageDescription
300501IP 객체를 편집할 권한이 없습니다.The user does not have administrator permission.
300502sonar-set-ip-address의 company 옵션이 GUID 형식이 아닙니다.The company option value is not a valid GUID.
300503sonar-set-ip-address에 적용할 해당 GUID와 일치하는 회사를 찾을 수 없습니다.No company exists for the specified company GUID.
300504sonar-set-ip-address의 batchsize 옵션은 1~5000 범위의 값으로 지정해야 합니다.The batchsize value is outside the range 1–5,000 or is not an integer.
300505sonar-set-ip-address 명령어에 fields 옵션을 지정하십시오. ...The fields option is not specified.
300506[field]는 지원되지 않는 필드입니다.The fields option contains an unsupported field name.
300507[company] 옵션이 필요합니다.The command was run under a system account without the company option.
Runtime errors

N/A

Description

The sonar-set-ip-address command looks up the asset IP database using the ip field value in each input record. If the IP address is already registered, it updates the field values specified in the fields option. If the IP address is not yet registered, it creates a new entry.

The ip field is always required and is automatically included even if not specified separately in the fields option. If the ip field value is null or not a valid IP address, the synchronization for that record is skipped and the error detail is recorded in the _error field.

If a field specified in the fields option does not exist in the input record, that field's value is updated to null. Conversely, fields that exist in the input record but are not specified in the fields option are not synchronized.

When the batchsize option is used, records are collected in batches of the specified size and processed together. If an error occurs during batch processing, the _error field of all records in the same batch is populated with the error detail.

Tip
You can customize the extended fields (ext0–ext9) for asset IPs using the following Logpresso shell command under global Sonar settings:
logpresso> sonar.setGlobalOption ip_custom_fields "0=Manufacturer,1=Model"

Examples

  1. Synchronize asset IPs

    json "[{'ip': '192.0.2.1', 'hostname': 'web-01', 'os_name': 'Linux', 'priority': 2}, {'ip': '192.0.2.2', 'hostname': 'db-01', 'os_name': 'Linux', 'priority': 3}]"
| sonar-set-ip-address fields="hostname, os_name, priority"

    Synchronizes the values of hostname, os_name, and priority fields to the asset IP database.

    genian-nac-nodes
| rename nt_domain as workgroup, first_seen as installed, platform as os_name, nic_vendor as ext0, type as category_name
| eval priority = if(category_name != "PC", 2, 1)
| sonar-set-ip-address batchsize=10 fields="priority, category_name, hostname, workgroup, emp_key, emp_key2, description, os_name, os_ver, mac, location, installed, ext0"

  2. Sync IP assets using CIA fields

    The following example synchronizes IP asset information by specifying confidentiality, integrity, and availability (CIA) levels. When CIA fields are used, priority is automatically calculated.

    json "[{\"ip\": \"10.0.0.1\", \"confidentiality\": \"high\", \"integrity\": \"medium\", \"availability\": \"high\"}]"
| sonar-set-ip-address fields="confidentiality, integrity, availability"