XYGATE Merged Audit Reference Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series

Table Of Contents

Cover
Copyright
Publication History
Contents
Quick Reference for Common Tasks
Introduction
- XMA Components
- Categorizing the PCI Requirements in XMA
- What’s New in this Release
- General Syntax Notation
- Additional XYPRO Reference Manuals
1. Installing XMA
- 1.1 Before You Begin
- 1.2 Installing XMA Using the Automated Install Script
- 1.3 Installing the SIEM Log Adapter
  - 1.3.1 ArcSight Adapter
  - 1.3.2 Installing the Adapters
- 1.4 Upgrading XMA or XTR Using the AutoInstall Script
  - 1.4.1 Running the AutoInstall Upgrade
- 1.5 Upgrade Considerations
  - 1.5.1 Database Conversion Using CNVRTIP
- 1.6 Uninstalling XMA or XTR Using the Auto Uninstall Script
  - 1.6.1 Preparing for the Auto Uninstall Script
  - 1.6.2 Installing the GUI/PC Products
- 1.7 Managing the XYGATE License
  - 1.7.1 Checking the Status of the Current License
- 1.8 Generate Reports Using XYGATE Report Manager (XRM)
2. Sending Data to Your ArcSight SIEM
- 2.1 What is a Log Adapter
- 2.2 Four Steps to Data Transmission
- 2.3 Step 1. Configure XMA to Collect the Desired Data
  - 2.3.1 Creating the Pathway
  - 2.3.2 Creating MOVERs
- 2.4 Step 2. Determine the Transport Method
  - 2.4.1 Testing Your SIEM connection
- 2.5 Step 3. Apply the Log Adapter to Your FILTERS File
- 2.6 Step 4. Start and Monitor Your MOVERs
- 2.7 Additional References
3. Configuring Filters and the FILTERS File
- 3.1 How to Edit the FILTERS File
- 3.2 Filter Syntax
  - 3.2.1 Logical ANDs and ORs
- 3.3 Building a Filter
- 3.4 Variable Substitution Processing in the FILTERS File
- 3.5 Node-Conditional Processing in the FILTERS File
  - 3.5.1 Node-Conditional Operators
- 3.6 Determine the TCP/IP Process for Email, IPALERT, SNMP Alerts
  - 3.6.1 Step 1. Submit a WHO command
  - 3.6.2 Step 2. Submit an INFO PROCESS
- 3.7 Sending XMA Data to an Audit Logging Appliance
4. Generating Reports Using XRM
- 4.1 Generating Audit Reports Using XMA_REPORT
- 4.2 Select the Audit Subvolume
- 4.3 Select by Date and/or Time Range
- 4.4 Select by Subject Userid
- 4.5 Select by Subject Login Name(s)
- 4.6 Select by System
- 4.7 Select by Subject Terminal
- 4.8 Select Subject by Object Type
- 4.9 Select by Object Name
- 4.10 Select by Operation
- 4.11 Select By Outcome
- 4.12 Select the Output File’s Location
- 4.13 Select the Report’s Sort Order
- 4.14 Select by Rule Name
- 4.15 Select by XYGATE Product Code
- 4.16 Select by ALERTED Column
- 4.17 Select by Text in the Result Column
- 4.18 Select by Message Code
- 4.19 Select by Message ID
- 4.20 Run the Report
- 4.21 Running Reports from Archived Tables
5. Using XMA_MANAGER
- 5.1 Introduction
- 5.2 The XYGATEMA Management Main Menu
- 5.3 The Pathway Management Menu
- 5.4 The Movers Management Menu
- 5.5 The Database Management Menu
- 5.6 The Uninstall Menu
- 5.7 XMA_MANAGER Navigation Hints
- 5.8 Running XMA_MANAGER as the XMA Owner
6. Configuring MOVERs
- 6.1 MOVER Types
- 6.2 Decisions to Make Before Adding Your MOVERs
  - 6.2.1 MOVER Serverclass Naming Conventions
  - 6.2.2 XMA_MANAGER Navigation Hints
- 6.3 How to Add MOVERs
  - 6.3.1 Auto Configure your MOVERs Using Discovery
  - 6.3.2 Creating Remote Catalogs
- 6.4 Built-in Serverclasses
- 6.5 BASE24 MOVERs
  - 6.5.1 BASE24 EMS Templates
- 6.6 HLR MOVERs
  - 6.6.1 Important Notices!
- 6.7 iTP Secure WebServer MOVERs
- 6.8 BASE24-eps MOVERs
- 6.9 MOVER Parameters
  - 6.9.1 MEASURE-Related Parameters
  - 6.9.2 TMF Related Parameters
- 6.10 Time Ranges
- 6.11 Troubleshooting MOVER Problems
7. Safeguard Selection Criteria
- 7.1 Safeguard OBJECTTYPEs
- 7.2 Safeguard OPERATIONs
- 7.3 Safeguard Message Codes
- 7.4 Safeguard MessageIDs
- 7.5 Safeguard EMS Error Messages
8. Maintaining the XMA Database
- 8.1 Remove Obsolete Records
- 8.2 Routine Database Maintenance
  - 8.2.1 Perform FUP Reloads
  - 8.2.2 Update Statistics
- 8.3 Resizing the Data Tables
  - 8.3.1 Default Table Sizes
  - 8.3.2 Sizing Methods
- 8.4 Partitioning the XMA Database
9. Troubleshooting
- 9.1 XMAHELP/XMA_HELP
- 9.2 Communication with an Audit Logging Appliance System
- 9.3 Audit Log Warehouse Data Parsing
A: The MACONF File
- A1: The MACONF File Keywords
- A2: Sample MACONF File
- A3: COLLECTOR
- A4: COMPANY_NAME
- A5: HOMETERM
- A6: MACRO_NAME
- A7: PATHMON_NAME
- A8: PERUSE_OBJECT
- A9: PRIORITY
B: Administrative Tables
- B1: XYGATE MOVER Configuration Tables
- B2: XYGATE MOVER State Tables
- B3: EMS MOVER Table =XMA__EMSMVTBL
- B4: EMS MOVER Parameters Table =XMA_EMSMVPARAMSTBL
- B5: EMS MOVER State Table =XMA_EMSMVSTATETBL
- B6: MEASURE MOVER Tables
- B7: SAFEGUARD MOVER Table =XMA_SFGMVTBL
- B8: SAFEGUARD Parameter Table =XMA_SFGMVPARAMSTBL
- B9: SAFEGUARD MOVER State Tables
- B10: BASE24 MOVER Table
- B11: BASE24 Parameter Table
- B12: BASE24 State Tables
- B13: TCP/IP Syslog Tables
- B14: HLR MOVER TABLE
- B15: HLR Parameter Table
- B16: HLR State Tables
- B17: iTP Secure WebServer MOVER Table
- B18: iTP Secure WebServer State Table
- B19: ARCHIVE Tables
- B20: PARAMS Table
- B21: SESSIONOIP Table
C: Data Tables
- C1: File Partitioning
- C2: Audit Product Table =XMA_AUDPRODUCTTBL
- C3: Audit Installation Table =XMA_AUDINSTALLTBL
- C4: Audit Session Table =XMA_AUDSESSIONTBL
- C5: Audit Detail Table =XMA_AUDITDETAILTBL
D: Sample Filters
- D1: Filter out $CMON’s “I’m Alive” Messages
- D2: Filter out XPC STATUS Commands
- D3: Filter out Safeguard reading its own user database
- D4: Filter out Safeguard No Record
- D5: Filter out XOS No Record
- D6: Filter out XOS What-if tests
- D7: Alert for SUPER.SUPER’s password change via XPQ
- D8: Alert when someone logs directly on as SUPER.SUPER
- D9: Alert for XAC command containing "–255"
- D10: Selecting security-related BASE24 EMS events
- D11: Selecting CLIM events
E: XMA Host Macros
- E1: ADELMAC
- E2: ARCMAC
- E3: CLEANDB
- E4: EMSBUILD
- E5: PARSAMP
- E6: REMFIN
- E7: UPDSTAT
- E8: XMA_AUDIT_REPORT
- E9: XMA_COMPILE_FILTERS
- E10: XMA_DATETIME_MAKE
- E11: XMA_DBVOLUME
- E12: XMA_EDIT_FILTERS
- E13: XMA_FILTERS_CHECK
- E14: XMA_INSTALL_LICENSE
- E15: XMA_LOAD_DEFINES
- E16: XMA_NETWORK_FILTERS_CHECK
- E17: XMA_NETWORK_LICENSE_INSTALL
- E18: XMA_NETWORK_VERSION
- E19: XMA_PWCOLD
- E20: XMA_PWCOOL
- E21: XMA_PWSTOP
- E22: XMA_PWVOLUME
- E23: XMA_SQLCOMPALL
- E24: XMA_SYNTAX_CHECK
- E25: XMA_UPDATE_FILTERS
- E26: XMA_VERSION
- E27: XMA_VOLUME
F: TCLEXC
G: Data Mapping
- G1: General Notes on Data Mapping Columns
- G2: Column Descriptions
- G3: How to Use the Data Mapping Tables
- G4: BASE24 Data Mapping
- G5: BASE24-eps Data Mapping
- G6: HLR Data Mapping
- G7: EMS Data Mapping
- G8: iTP Secure WebServer Mapping
- G9: Measure Data Mapping
- G11: Safeguard Data Mapping
- G12: XYGATE Access Control (XAC) Data Mapping
- G13: XYGATE Supported CMON (XCM) Data Mapping
- G14: XYGATE Host Encryption (XHE) Data Mapping
- G15: XYGATE Key Management (XKM) Data Mapping
- G16: XYGATE Process Control (XPC) Data Mapping
- G17: XYGATE Password Quality (XPQ) Data Mapping
- G18: XYGATE Object Security (XOS) Data Mapping
- G19: XYGATE Safeguard Manager (XSM) Data Mapping
- G20: XYGATE Combined Spoolcom Peruse Data Mapping (XSP)
- G21: XYGATE Transaction Router (XTR) Data Mapping
- G22: XYGATE User Authentication (XUA) Data Mapping
- G23: XYGATE Compliance PRO (XSW) Data Mapping
- G24: Column Usage Table
Glossary
Index

XYGATE Merged Audit

Reference Manual

HP Part Number: 628976-007

Published: December 2013

Edition: J06.03 and subsequent J-series RVUs. H06.03 and subsequent J-series RVUs. G06.10 and subsequent G-series RVUs.

Summary of content (352 pages)

PAGE 1
® XYGATE Merged Audit Reference Manual HP Part Number: 628976-007 Published: December 2013 Edition: J06.03 and subsequent J-series RVUs. H06.03 and subsequent J-series RVUs. G06.10 and subsequent G-series RVUs.
PAGE 2
PAGE 3
© Copyright 2013 Hewlett-Packard Development Company, L.P Legal Notice Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
PAGE 4
Publication History Software Ver. Description Date 1.71 Reformatted for new template, re-arranged chapters and appendices. Aug. 2010 1.71 Updated formatting and added Acrobat bookmarks. Aug. 2010 1.71 Added XMI Installation procedures and re-arranged chapter 1. Oct. 2010 1.80 HLR MOVERs added, updates per QA; revise XMI for new Using XMI doc. May 2011 1.83 Added “Installing the SIEM Log Adapter”; added App A: “The MACONF File”; added App G2:”Column Descriptions”; Nov. 2011 1.
PAGE 5
CONTENTS Quick Reference for Common Tasks ................................................................. xiii Introduction ........................................................................................... xvii XMA Components....................................................................... xviii Categorizing the PCI Requirements in XMA ......................................... xix What’s New in this Release.............................................................
PAGE 6
XYGATE Merged Audit® Reference Manual Contents Chapter 3. 2.3 Step 1. Configure XMA to Collect the Desired Data ......................... 28 2.3.1 Creating the Pathway ............................................... 28 2.3.2 Creating MOVERs ..................................................... 28 2.4 Step 2. Determine the Transport Method..................................... 28 2.4.1 Testing Your SIEM connection ...................................... 29 2.5 Step 3.
PAGE 7
XYGATE Merged Audit® Reference Manual Contents 3.7 Chapter 4. Sending XMA Data to an Audit Logging Appliance ........................... 76 3.7.1 Configuring Filters to Implement a SIEM.......................... 77 3.7.2 Configuring Filters to Transmit Data via UDP .................... 78 3.7.3 Configuring the SYSLOGQ Filters................................... 79 3.7.4 Troubleshooting Communication with SIEM Appliances ........ 80 3.7.5 Parsing XMA SYSLOG Messages .....................................
PAGE 8
XYGATE Merged Audit® Reference Manual Contents Chapter 6. 5.6 The Uninstall Menu .............................................................106 5.7 XMA_MANAGER Navigation Hints ..............................................106 5.8 Running XMA_MANAGER as the XMA Owner .................................107 Configuring MOVERs .................................................................. 109 6.1 MOVER Types ....................................................................109 6.1.
PAGE 9
XYGATE Merged Audit® Reference Manual Contents 7.5 Chapter 8. Chapter 9. Safeguard EMS Error Messages.................................................143 Maintaining the XMA Database ..................................................... 145 8.1 Remove Obsolete Records .....................................................145 8.1.1 Selective Archive and Cleanup ....................................145 8.1.2 Archiving the XMA Database .......................................148 8.1.
PAGE 10
XYGATE Merged Audit® Reference Manual Contents Appendix B: Administrative Tables ................................................................ 167 B1: XYGATE MOVER Configuration Tables ........................................168 B2: XYGATE MOVER State Tables ..................................................169 B3: EMS MOVER Table =XMA__EMSMVTBL.........................................170 B4: EMS MOVER Parameters Table =XMA_EMSMVPARAMSTBL ..................
PAGE 11
XYGATE Merged Audit® Reference Manual Contents D5: Filter out XOS No Record.......................................................195 D6: Filter out XOS What-if tests ...................................................196 D7: Alert for SUPER.SUPER’s password change via XPQ ........................197 D8: Alert when someone logs directly on as SUPER.SUPER ....................198 D9: Alert for XAC command containing "–255" ...................................
PAGE 12
XYGATE Merged Audit® Reference Manual Contents E27: XMA_VOLUME ....................................................................226 Appendix F: TCLEXC .................................................................................. 227 Appendix G: Data Mapping .......................................................................... 239 G1: General Notes on Data Mapping Columns ....................................240 G2: Column Descriptions .........................................................
PAGE 13
Quick Reference for Common Tasks Use the XMA macro to attach the XMA_SEG TACL segment that contains all the XMA macros. Refer to Appendix E: “XMA Host Macros” starting on page 203. Quick Reference for Common Tasks No. Type Task Steps 1. Pathway Is Pathway running Via TACL: status $ 2. Pathway Stop Select Pathway Menu option 3, page 100 or XMA_PWSTOP on page 221. 3. Pathway Cold Start Select Pathway Menu option 1, page 100 or XMA_PWCOLD on page 220. 4.
PAGE 14
XYGATE Merged Audit® Reference Manual Quick Reference for Common Tasks Quick Reference for Common Tasks No. Type Task Steps 11. MOVERs Start an individual MOVER Select Movers Menu option 5, page 101. 12. MOVERs Start all the MOVERs If your Pathway is not running, select Pathway Menu option 2, and then choose Y(es) for Start all MOVERs (page 100). If the Pathway is already running, you can stop and restart it. 13.
PAGE 15
XYGATE Merged Audit® Reference Manual Quick Reference for Common Tasks Quick Reference for Common Tasks No. Type Task Steps 24. SLSENDER Re-send events to the SIEM Select Database Menu option 13, page 104. 25. SLSENDER Remove obsolete events from the SYSLOG Queue Select Database Menu option 14, page 104. 26. SLSENDER Change number of copies running Select Movers Menu option 21, page 101. 27. Database FUP RELOAD the data tables Perform FUP Reloads, page 152. 28.
PAGE 16
XYGATE Merged Audit® Reference Manual Quick Reference for Common Tasks Quick Reference for Common Tasks No. Type Task Steps 38. Uninstall Completely remove an XMA installation Refer to section 1.6, “Uninstalling XMA or XTR Using the Auto Uninstall Script” on page 21. 39. Uninstall Remove XMA objects from a remote node Select Uninstall Menu option 1, page 106. 40. FILTERS Compile the FILTERS FILE and create MACONFB on all nodes Run XMA_COMPILE_FILTERS on page 212.
PAGE 17
Introduction XYGATE Merged Audit® (XMA) merges audit trails for all XYGATE products, EMS, SAFEGUARD, BASE24, HLR and iTP into a centrally located set of NonStop SQL tables. In addition, data is collected via MEASURE to provide information regarding process ancestry. The result is a single point-of-reference for investigating all ACTIONS performed by your user community, precisely who performed each ACTION, and where and when.
PAGE 18
XYGATE Merged Audit® Reference Manual Introduction • A flexible filtering mechanism allows you to watch for events you specify and take ACTION as soon as the specified event is detected. These ACTIONS include sending ALERTS to EMS, SYSLOG, via email, using the SMTP or performing custom processing you provide. • A filtering mechanism that allows you to selectively extract only those activities most pertinent to you. • Custom report writing capabilities.
PAGE 19
XYGATE Merged Audit® Reference Manual Introduction The data for all the nodes in your network will be consolidated into one central SQL database. There are also SQL tables used in the configuration and management of the MOVER. The MOVER Serverclass objects will “push” or “pull” the data to the central collection point.
PAGE 20
XYGATE Merged Audit® Reference Manual Introduction • PCI 8.2 is considered to reference user configuration; therefore, changes to User and Alias Records as well as user-related Safeguard Global parameters fall into this category. Changes to the values that control logons, etc., fall here. Actual logons and proof that IDs are frozen or timed out fall into other Requirements such as PCI 8.5.
PAGE 21
XYGATE Merged Audit® Reference Manual Introduction General Syntax Notation The following list summarizes the notation conventions for syntax presentation in this manual. UPPERCASE LETTERS. Uppercase letters indicate keywords and reserved words; enter these items exactly as shown. Items not enclosed in brackets are required. For example: MAXATTACH < > Angle Brackets. A pair of matching angle brackets indicate variable items that you supply but without the brackets.
PAGE 22
XYGATE Merged Audit® Reference Manual Introduction … Ellipsis. An ellipsis immediately following a pair of brackets or braces indicates that you can repeat the enclosed sequence of syntax items any number of times. For example: M [ , ]... [ - ] {0|1|2|3|4|5|6|7|8|9}... An ellipsis immediately following a single syntax item indicates that you can repeat that syntax item any number of times. For example: "s-char..." Punctuation.
PAGE 23
XYGATE Merged Audit® Reference Manual Introduction Additional XYPRO Reference Manuals A number of XYGATE Microsoft Windows clients can be used to report from the XMA database to monitor alerts from NonStop systems and to modify the configuration of host XYGATE modules. The reference manuals for the client components are part of the XYGATE Online Help (XOH) package. After installing XMA on the host system, find the IXOHEXE file, FTP it in binary mode to your PC workstation, and then rename it to XOHINST.
PAGE 24
XYGATE Merged Audit® Reference Manual Introduction XYPRO Technology Corporation xxiv Proprietary and Confidential
PAGE 25
Chapter 1. Installing XMA This chapter describes the installation procedure for the XYGATE Merged Audit (XMA) files using the AutoInstall script. Running the AutoInstall script is a guided installation with minimal SUPER command line input except where noted. 1.1 Before You Begin Ensure that you have the following information ready before you begin the installation procedures: • Administrator privileges for your PC. • The name of the TACL service. • SUPER.SUPER ID or an alias to SUPER.SUPER.
PAGE 26
XYGATE Merged Audit® Reference Manual Chapter 1. Installing XMA 1.2.1 Preparing for the AutoInstall Script installation The AutoInstall script will perform the following tasks automatically: • Install the XYGATEMA product software. • Install the XYGATETR product software. • Configure the XYGATE XMA and XYGATE XTR environments using default values. • Create the XYGATEMA SQL catalog and associated SQL tables. • Create the XYGATEMA Pathway environment.
PAGE 27
XYGATE Merged Audit® Reference Manual Chapter 1.
PAGE 28
XYGATE Merged Audit® Reference Manual Chapter 1. Installing XMA Config File Configuration Settings Default Values Assigned by AutoInstall Script or Locations TRCONF XTR option USER_SWITCH ON TRCONF XTR process priority 152 TRCONF XTR HOME_TERM (selected from available standard hometerms) $VHS $ZHOME $YMIOP.#CLCI TRCONF XTR PERUSE_OBJECT (selected from available PERUSE objects) $SYSTEM.SYSTEM.
PAGE 29
XYGATE Merged Audit® Reference Manual Chapter 1. Installing XMA Config File Configuration Settings Default Values Assigned by AutoInstall Script or Locations FILTERS XMA rule file for setting Filter information to the Pathway servers $VOL.XYGATEMA PATHCTL Pathway run-time configuration file name $VOL.XMAPW PWLOG Pathway log file name $VOL.XMAPW 1.2.2 Using the AutoInstall Script Tool This section describes the specific formatting used to indicate installation prompts and user actions.
PAGE 30
XYGATE Merged Audit® Reference Manual Chapter 1. Installing XMA You can end the script by pressing Ctrl+Y at any prompt. Stopping the script will end the install or upgrade prematurely. You can restart the script by re-running the IWIZARD program. It will attempt to restart at the point you ended. Example: Enter XMA volume <$VTOI>?EOF! $VTOI ZIMYXMA 6> 1.2.
PAGE 31
XYGATE Merged Audit® Reference Manual Chapter 1. Installing XMA The installation begins by unpacking the self-extracting IXYBIN file containing the files and programs distributed in the DSV. Note that the three vertical dots inserted below indicate that output is omitted for brevity in this manual only. #FRAME #PUSH #INFORMAT #SET #INFORMAT TACL Copyright XYPRO TECHNOLOGY CORPORATION UNPAK'ing SELF EXTRACTING OBEY FILE ... UNPAK Complete. RUN IWIZARD to install. 1.2.
PAGE 32
XYGATE Merged Audit® Reference Manual Chapter 1. Installing XMA SEL --1) 2) LOCATION ----------------$SYSTEM.XYGATEMA $DATA1.XYGATEMA VERSION ------1.70 1.54 5) $ARC.XYGATEMA 1.54 P) Prompt for new location Enter available selection: OWNER ----------------SUPER.SUPER XMA.OWNER XYPRO.
PAGE 33
XYGATE Merged Audit® Reference Manual Chapter 1. Installing XMA If this is a new install, one of the following will be true:  no environments will be located or  no available environments will be located or  a new environment needs to be installed. If existing environments are located, select the P option to install a new environment. Enter available selection: P Referring to Table 1 values, enter a Volume name or accept the default volume displayed by the prompt.
PAGE 34
XYGATE Merged Audit® Reference Manual Chapter 1. Installing XMA If this is a new install, you will be asked to identify the location for the SQL database. This SQL database must be located on a TMF Audited volume. Enter XMA database TMF Audited volume <$MYVOL>?  Enter XMA database subvol ?  Unpaking products: Unpaking XTRBIN ... Unpak of XTRBIN complete. Unpaking products complete. Installing products: Verifying the system catalog can be written to ...
PAGE 35
XYGATE Merged Audit® Reference Manual Chapter 1. Installing XMA SUPER.SUPER, and RUN $MYVOL.IXYPROMA.LICENSE You may continue when this has been done. If you decide not to continue, the next time the wizard is run, it will continue here, where you last stopped. Are you ready to continue ? Do not answer the prompt yet. Start a separate TACL session using a SUPER logon, and perform the necessary licensing tasks as shown in the Example below. Example: TACL> RUN $MYVOL.IXYPROMA.LICENSE Licensing $MYVOL.
PAGE 36
XYGATE Merged Audit® Reference Manual Chapter 1. Installing XMA If this is a new install, you will be asked to start the LISTNER process for connection from the PC/GUI products. Starting the LISTNER is not a requirement for the server portion of the XMA product. It may be started at anytime. If started now, it will bind itself to the port number you previously entered in the script.
PAGE 37
XYGATE Merged Audit® Reference Manual Chapter 1. Installing XMA As of version 1.95, XMA accommodates IPV6 addresses. If you already have the ArcSight log adapter installed and upgrade XMA, you will also have to upgrade the log adapter by following the installation instructions below. 1.3.
PAGE 38
XYGATE Merged Audit® Reference Manual Chapter 1. Installing XMA $SYSTEM.XYGATEMA 1> RUN LAF XYGATEMA Adapter Installer version 1.14. Checking owner, version, and installed filter ... Checks complete. Sel File Description --- -------- -----------------------------------------------------------------1 LAFARC ArcSight Log Adapter Filters - Version 1.02 Selection? 1 Enter SIEM Device IP address ? 10.1.1.x Enter TCP/IP process name <$ZTCP2>?  Pinging 10.1.1.x using $ZTCP2 ... Ping of 10.1.1.
PAGE 39
XYGATE Merged Audit® Reference Manual Chapter 1. Installing XMA Syntax: TACL> VOLUME [$NEWVOL].IXYPROMA Example: TACL> VOLUME $MYVOL.IXYPROMA 2. Purge the old installation staging subvolume. If you know the location of the initial installation staging subvolume, PURGE all files to remove the old installation staging files. If you have selected a new location, you may skip this step. Syntax: $MYVOL IXYPROMA 3> FUP PURGE [$VOL].[NEWSVOL].* ! Example: $MYVOL IXYPROMA 3> FUP PURGE $MYVOL.IXYPROMA.* ! 3.
PAGE 40
XYGATE Merged Audit® Reference Manual Chapter 1. Installing XMA 1.4.1 Running the AutoInstall Upgrade Access to SUPER.SUPER (or an alias to SUPER.SUPER) will be required during the upgrade to perform necessary licensing tasks in a separate TACL session. This requirement will be indicated by the AutoInstall script and is also documented in this procedure. Note: The AutoInstall script waits on a prompt while the user starts a separate TACL session when requested to perform specific actions.
PAGE 41
XYGATE Merged Audit® Reference Manual Chapter 1. Installing XMA Enter available selection: 3 Updating config ... Config updated. The AutoInstall script will attempt to locate any already installed XTR environments and display these located environments as shown below. ------------------------------------------------------------------------------The XYGATE Transaction Router (XTR) is used to provide communication between XYGATE GUI products and their HP NonStop server counterparts.
PAGE 42
XYGATE Merged Audit® Reference Manual Chapter 1. Installing XMA The AutoInstall script will attempt to verify the selected locations. Any old installation staging locations may have to be purged manually. Files already exist in the location where the XTR product unpacks to: $MYVOL.P46DSDST You must purge the files on this subvol before continuing. Are you ready to continue ? Do not answer the prompt yet. You may or may not receive the above prompt.
PAGE 43
XYGATE Merged Audit® Reference Manual Chapter 1. Installing XMA Are you ready to continue ? Do not answer the prompt yet. Start a separate TACL session using a SUPER logon, and perform the necessary licensing tasks as shown in the Example below. Example: TACL> FUP LICENSE $MYVOL.P46DSDST.IADOPTN4 TACL> Logoff as the SUPER.SUPER or SUPER alias When you complete the licensing tasks, answer Y to the prompt to continue. Are you ready to continue ? Y Establishing product locations ...
PAGE 44
XYGATE Merged Audit® Reference Manual Chapter 1. Installing XMA Licensing requirements are to be performed by a SUPER logon for XMA only: Example: TACL> RUN $MYVOL.XYGATEMA XMA INSTALL TACL> XMA_FINISH_INSTALL Licensing $MYVOL.XYGATEMA.SRLIB TACL> Logoff as the SUPER.SUPER or SUPER alias Licensing requirements are to be performed by a SUPER logon for XTR only: Example: TACL> RUN $MYVOL.XYGATETR XTR INSTALL TACL> XTR_FINISH_INSTALL Licensing $MYVOL.XYGATETR.ADOPT Licensing $MYVOL.XYGATETR.
PAGE 45
XYGATE Merged Audit® Reference Manual Chapter 1. Installing XMA 1.5 Upgrade Considerations If you are upgrading XMA versions prior to 1.95, your Audit Session table will be updated during the XMA_MANAGER portion of the installation. A new column called IPADDRV46 will be added to the AUDSESS table to accommodate the longer IPV6 Format Addresses. Going forward, all IP addresses will be placed in this column.
PAGE 46
XYGATE Merged Audit® Reference Manual Chapter 1. Installing XMA 1.6.1 Preparing for the Auto Uninstall Script The Auto Uninstall script will attempt to uninstall all modules that are running on the server as follows: • Uninstall the XYGATEMA installed product software. • Uninstall the XYGATETR installed product software. • Delete the XYGATEMA SQL catalog and associated SQL tables. • Stop the XYGATEMA Pathway environment. • Delete the XYGATEMA Pathway environment.
PAGE 47
XYGATE Merged Audit® Reference Manual Chapter 1. Installing XMA This will remove ALL files from the following locations, even if the product was not recently installed or upgraded: XTR XTR XMA XMA XMA XMA Installed files Unpak'd files Installed files Tables Catalog Pathway files on on on on on on \N1.$MYVOL.XYGATETR \N1.$MYVOL.P46DSDST \N1.$MYVOL.XYGATEMA \N1.$MYVOL.XMADAT \N1.$MYVOL.XMACAT \N1.$MYVOL.
PAGE 48
XYGATE Merged Audit® Reference Manual Chapter 1. Installing XMA 2. Upload each file listed below using any binary file transfer method (for example, FTP, IXF) from the following staging subvolume to the PC using the BINARY option. Rename the server files with the extension of .EXE. You can place these binary install files in any folder on the PC. $MYVOL.IXYPROMA.IXCFEXE $MYVOL.IXYPROMA.IXEMEXE $MYVOL.IXYPROMA.IXGIEXE $MYVOL.IXYPROMA.IXRGEXE $MYVOL.IXYPROMA.IXOHEXE 3. 1.7 as as as as as IXCF.EXE IXEM.
PAGE 49
XYGATE Merged Audit® Reference Manual Chapter 1. Installing XMA 1.8 Generate Reports Using XYGATE Report Manager (XRM) You can generate XMA audit reports on your PC using the XYGATE Report Manager (XRM). The complete reference for the XRM product is described in the XYGATE Configuration and Audit Reporting manual. (To get this and other XYPRO documents, refer to the section “Additional XYPRO Reference Manuals” in this manual.
PAGE 50
XYGATE Merged Audit® Reference Manual Chapter 1.
PAGE 51
Chapter 2. Sending Data to Your ArcSight SIEM This chapter describes the steps necessary to configure your XYGATE Merged Audit installation on the HP NonStop host to send data to the ArcSight® SIEM. Note: A corresponding set of parsing code must be installed on the ArcSight SIEM. Contact your ArcSight representative to verify that you have the correct parsing code. 2.
PAGE 52
XYGATE Merged Audit® Reference Manual Chapter 2. Sending Data to Your ArcSight SIEM 2.3 Step 1. Configure XMA to Collect the Desired Data Before data can be transmitted to your SIEM, XYGATE Merged Audit must be installed and configured to collect the desired data. 2.3.1 Creating the Pathway As part of the installation process, a pathway is created. The pathway runs serverclasses that perform housekeeping tasks, collect data, issue alerts and transmit data.
PAGE 53
XYGATE Merged Audit® Reference Manual Chapter 2. Sending Data to Your ArcSight SIEM 2.4.1 Testing Your SIEM connection Use the XMA_MANAGER to test your HP NonStop-to-SIEM connection. (Refer to chapter Chapter 5, “Using XMA_MANAGER.”) 1. Logon as the XMA owner in order to run XMA_MANAGER. 2. Load the XMA TACL segment, start the XMA_MANAGER and select option 2: Movers. 3. To use the IPALERT message, select option 16: Test basic Alerts in the Movers Management Menu. (Refer to section 5.
PAGE 54
XYGATE Merged Audit® Reference Manual Chapter 2. Sending Data to Your ArcSight SIEM 2.5 Step 3. Apply the Log Adapter to Your FILTERS File Once the IP address has been verified by performing a successful test transmission, the ArcSight Log Adapter, LAFARC, can be installed into the FILTERS file using the LAF macro. The file LAFARC resides in the XYGATEMA subvolume. Note: In the LAFARC file, the default transfer mechanism is UDP.
PAGE 55
XYGATE Merged Audit® Reference Manual Chapter 2. Sending Data to Your ArcSight SIEM 2.5.1 Running the LAF Macro This macro is run from the XYGATEMA subvolume. From the TACL prompt, enter LAF. You do not have to install the XMA segment prior to running the LAF macro. $PROD.XYGATEMA 1> RUN LAF XYGATEMA Adapter Installer version 1.14. Checking owner, version, and installed filter ... Checks complete.
PAGE 56
XYGATE Merged Audit® Reference Manual Chapter 2. Sending Data to Your ArcSight SIEM 2. For each Filter Definition below the !Begin until the !End line is encountered, make the following change: a. Locate the three lines of text shown below: ! ! b. ACTIONTYPE IPALERT ACTIONTYPE SYSLOGQ IPALERT_MSGDELIMITER CR Comment out the line: ACTIONTYPE IPALERT c.
PAGE 57
XYGATE Merged Audit® Reference Manual Chapter 2. Sending Data to Your ArcSight SIEM this purpose. These macros are the recommended way to manage your Pathway because they provide additional processing such as creating the PWSTATE table on shutdown and prompting for a startup date/time for the MOVERs at startup. 2.6.2 Starting the Pathway If the Pathway is not running, select option 1 at the Main Menu Selection? prompt (page 99) to display the Pathway Management Menu.
PAGE 58
XYGATE Merged Audit® Reference Manual Chapter 2. Sending Data to Your ArcSight SIEM Updating database configuration for all movers ... Command completed successfully Press Return to continue ... Your Pathway is now started. 2.6.3 Checking the Status of Your MOVERs To check the status of all the MOVERs, use the Pathway Management Menu, option 4: Quick Server Status (page 100).
PAGE 59
XYGATE Merged Audit® Reference Manual Chapter 2. Sending Data to Your ArcSight SIEM SERVER SFG-PROD-01 #RUNNING 1 ERROR INFO PROCESS STATE ERROR $X7S6 RUNNING Command completed successfully INFO #LINKS 0 WEIGHT 0 Getting status of mover from Database .. To modify any of the items below choose an option otherwise select R to continue : 1: X: R: Audit Trail target details Exit Run :N Selection ? r Audit file mask :\PROD.$AUDIT.SAFE.
PAGE 60
XYGATE Merged Audit® Reference Manual Chapter 2. Sending Data to Your ArcSight SIEM Checking EMS If the SLSENDER is unable to send data to the SIEM, a message will be sent to EMS as shown below. Sample EMS message 09:16 23OCT13 047,01,1177 XYPRO Product:XYGATEMA Msg#:223 Level:Critical Msg:Syslog Sender SLSENDER (\PROD.$X220) unable to send messages to host 127.1.1.
PAGE 61
XYGATE Merged Audit® Reference Manual Chapter 2. Sending Data to Your ArcSight SIEM skip 1, "Newest Unsent Record: ", newest; list all; Sample Output SYSLOGQ File Count and Oldest and Newest Unsent Records Date: 10/28/2013 Time: 11:42 AM Number of Unsent Records -----------------------17198 Unsent Record Date Range -----------------------Oldest Unsent Record: 2013-10-23:16:13:05.592435 Newest Unsent Record: 2013-10-23:16:17:25.878015 --- 1 row(s) selected. 2.
PAGE 62
XYGATE Merged Audit® Reference Manual Chapter 2.
PAGE 63
Chapter 3. Configuring Filters and the FILTERS File The Filter is XMA’s unit of control. Filters perform two functions: • They determine what goes in the XMA database. • They trigger one or more ACTIONS when an event matching the Filter’s selection criteria occurs. Note: Appendix D: contains a number of Sample Filters. Filters reside in the FILTERS file, which is an EDIT file in the XYGATEMA subvolume. There is one FILTERS file per XMA Pathway.
PAGE 64
XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File 3.1 How to Edit the FILTERS File You can edit the FILTERS file using the XYGATE Configuration Manager GUI or on the host using the XMA_EDIT_FILTERS macro. Refer to Appendix E12: on page 215 for the complete instructions on using the XMA_EDIT_FILTERS macro. Editing the FILTERS File Using the XYGATE Configuration Manager Click the XCF icon on your desktop.
PAGE 65
XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File 3.2 Filter Syntax Filters have three parts: • MOVER Selection • DATA Selection • ACTION Selection Filters have very strict syntax requirements. Each Filter begins with the FILTERDEFBEGIN keyword, which is also where you place the Filter name. Each Filter ends with the FILTERDEFEND keyword. Between these two keywords there are MOVER, DATA and ACTION selection paragraphs.
PAGE 66
XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File The ACTION selection chapter begins with the ACTIONCOLL_BEGIN keyword and ends with the ACTIONCOLL_END keyword. Between these two keywords you can place one or more “paragraphs” to select one or more ACTIONS. Each of these paragraphs begins with the ACTION_BEGIN keyword and ends with the ACTION_END keyword. All of the pertinent ACTION selection keywords must be contained between these two keywords.
PAGE 67
XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File !or … MOVER_SELECT_BEGIN PRODUCT = SAFEGUARD MOVER_SELECT_END !or … MOVER_SELECT_BEGIN PRODUCT = XYGATEUA MOVER_SELECT_END MOVER_END Operators are used to include or exclude records that match the designated selection criteria. Operator Followed by CONTAINS / NOTCONTAIN A string within quotation marks that describe just part of the contents of a column in the audit record that you want to rule out or rule in.
PAGE 68
XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File 3.3 Building a Filter Note: The easiest way to build a new Filter is to start with a copy of an existing Filter. This will ensure that the syntax is correct and let you concentrate on getting the selection criteria right. There are eight basic steps required to build a Filter: Step 1. Name the Filter. Step 2. Set the Filter Status. Step 3: Set the EVALUATE_MSG Keyword. Step 4.
PAGE 69
XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File 3.3.3 Step 3: Set the EVALUATE_MSG Keyword The EVALUATE_MSG keyword determines whether or not the MOVER will search the FILTERS file for another Filter that matches the selection criteria. Options are: STOP Once the record satisfies the conditions in a Filter, the evaluation stops. This is the default value. If the keyword is omitted, then the default is STOP.
PAGE 70
XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File 3.3.4 Step 4. Define the Filter’s Mover In most cases, you will only use the PRODUCT keyword to select a MOVER, but you may also select the node on which the target product resides and the subvolume the product is running from. Remember that the MOVER Serverclasses are the programs actually reading the various audit trails and transferring the records to the XMA database and generating any ACTIONs that you define.
PAGE 71
XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File SYSTEM The NonStop server node where the target product resides. You only need to specify the SYSTEM if you want alerts from some systems and not others. LOCATION The volume and subvolume location of the target product specified above. You only need to specify the product LOCATION if you have more than one copy of a XYGATE product on the same node and you want to alert on events from one installation but others.
PAGE 72
XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File Example 3: How to specify a MOVER for a specific product installation FILTERDEFBEGIN $QA-XYGATEAC MOVER_BEGIN MOVER_SELECT_BEGIN PRODUCT = XYGATEAC LOCATION = $SECURE.XACQA MOVER_SELECT_END MOVER_END DATA_BEGIN DATA_SELECT_BEGIN FILTERTYPE STRINGFILTER AUDIT.
PAGE 73
XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File It is always easiest to start with an existing Filter that is similar to what you want to look at. The default FILTERS and FILTSAMP files, created when you installed XMA, contain useful examples to use as templates. Example 1 below selects events based on the OPERATION. TELNET and LISTNER events are available if you have an EMS MOVER configured to search for them.
PAGE 74
XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File You create Filters to tell the MOVERs to do something besides writing records to the XMA database. For example, if you do not want something added the database, create a Filter with an ACTIONTYPE of IGNORE. Then audit events matching the selection criteria in this IGNORE Filter will not be written to the database, but everything else will be.
PAGE 75
XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File Example DATA_BEGIN DATA_SELECT_BEGIN FILTERTYPE NOFILTER DATA_SELECT_END DATA_END The MACROFILTER. Instead of specifying the contents of the columns, you can do more elaborate selection of audit records using a macro.
PAGE 76
XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File In Example 2 above, if the RULENAME column in the AUDIT DETAIL Table contains the value FUP-255, TACL-255, or SAFECOM-255 and the MESSAGECODE column in the AUDIT DETAIL Table contains “XAC-I,” then a value of MATCH will be returned. TCLEXC The structure TCLEXC is used when the DATAFILTERTYPE = MACROFILTER is specified.
PAGE 77
XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File If you have the Safeguard Global AUTHENTICATE-MAXIMUM-ATTEMPTS set to 3, you would select records with the text "Logon Fail count 2 to 3" because this is the event that will cause Safeguard to freeze the userid. Now XMA will generate an email every time a userid is frozen because of a bad password. All logons, whether successful or not, will still be written to the XMA database.
PAGE 78
XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File DATA_SELECT_BEGIN FILTERTYPE STRINGFILTER AUDIT.RULENAME = TACL-255 AUDIT.MESSAGEID = XAC-I DATA_SELECT_END If you want an alert for several XAC (but not all) commands, you have several options. You could list them individually: AUDIT.RULENAME LIKE "(TACL-255|SCF-255|EDIT-255)" If you have good naming conventions for the command names, you might be able to wildcard the names: AUDIT.
PAGE 79
XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File The RETAIN keyword is used to implement selective Archive or Cleanup. A Filter with a MOVER = FILEMAINT must also include an ACTIONTTYPE of RETAIN. The Archive and Cleanup processes will check the Filter for the RETAIN_DAYS and RETAIN_MONTHS keyword values and process records that match the data selection criteria for the Filter accordingly. Refer to 8.1.
PAGE 80
XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File Suppressing Alerts on Historical Events If you do not want to generate alerts on old audit events, use the MAXRECORDAGE keyword to suppress alerts on events older than a selected age. All events will still be written to the XMA database, unless the ACTIONTYPE = IGNORE. The MAXRECORDAGE keyword lets you eliminate alerts for events that are too old to matter anymore.

PAGE 81

XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File Option 2: |(SUBSTR(

.,, is the position in the column where you want to start. 1 is the first position. is the number of characters you wish to select. Example 2 alertstring |(substr(audit.recordlct,1,10))| alertstring alertstring |(substr(audit.

PAGE 82

XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File ALERTTOKENs This is a list of the columns you wish to display from the audit detail, audit session, installation, and product tables. These will be displayed when a user selects a detailed view option in EMS. Note: You must build XYGATE products’ EMS tokens into your system EMS Templates to be able to view the individual tokens. Example 1 below shows an EMS alert. A message will be sent to the EMS collector \PROD.

PAGE 83

XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File IPALERT_PORT Defines the port on the remote system where XMA will send the string meant for a SYSLOG. This keyword is required for IPALERT actions. Port 514 is the expected value. IPALERT_PREFIX Defines the prefix that will be prepended to the SYSLOG message. This is optional and can be up to 79 characters in length. For non-SYSLOGQ messages the length can be up to 40 characters.

PAGE 84

PAGE 85

XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File MAIL_LOCAL_DOMAIN Some mail servers, such as Lotus, require a local domain name. Consult your mail administrator for additional information. MAIL_FROM The email address that will appear as the sender. It does not have to be a valid email address. MAIL_TO The email address where you want the message sent. At least one valid email address is required.

PAGE 86

XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File Example 3: Sample ACTION paragraph for an EMAIL alert ACTION_BEGIN ACTIONTYPE MAIL MAIL_SRV mail.bankofcochran.com MAIL_PORT 25 MAIL_FROM jo@bankofcochran.com MAIL_TO security@bankofcochran.com MAIL_IPPROCESS $ZTCP2 MAIL_SUBJECT XMA-|(AUDIT.SUBJECTLOGIN)|altered|(AUDIT.OBJECTNAME)| MAIL_BODY \N1.$SECURE.XYGATEMA.MAILSAFE ACTION_END Example 4 below shows a MAIL alert. An email will be sent to the security mailbox.

PAGE 87

XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File RETAIN_DAYS The number of days that audit records matching the Filter’s selection criteria will be retained in the XMA database before being removed by either ARCHIVE or CLEANUP. Enter day(s) as a number between 1 and 5500 (15 years ) or –1, which means “never remove.

PAGE 88

XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File The maximum size of any one line is 238 bytes, which is also the maximum line length that the FILTERS program can read-in. Note: You must redirect any output from TACL to a file or the spooler. The TACL that the MOVER starts to service commands has no terminal. Syntax: ACTION_BEGIN ACTIONTYPE RUNCMD MAXCOMPLETIONTIME RUNCMDDEFBEGIN $..

PAGE 89

XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File MAXCOMPLETIONTIME Once the MOVER “fires off” the RUNCMD statements, the concatenated commands are sent to TACL for execution. The MOVER then waits for TACL to respond back that the command(s) have executed. The MOVER will wait for a response for the number of seconds defined by the MAXMPLETIONTIME.

PAGE 90

XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File Example 8: Sample SETDATA paragraph ACTION_BEGIN ACTIONTYPE SETDATA AUDIT.USER_DATA Priv user ACTION_END Some people insert an abbreviated form of the Filter name so that they can create reports based on the Filter that generated the alerts.

PAGE 91

XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File Specifying Multiple ACTIONS You may specify multiple ACTIONS to be taken when a match occurs. Each ACTION will have its own paragraph. If one of the ACTIONS is IGNORE, it must be last within the Filter. Example 10 below shows a Filter with three ACTIONTYPEs. When a matching audit event occurs, an EMS message will be generated, an email will be sent, and the AUDIT.USER_DATA column will be set to "Sfg Config".

PAGE 92

XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File Tracking Your Alerts For reporting purposes, there is a column called ALERTED in the Audit Detail Table This column contains a one-character flag to indicate the alert status. The ALERTED Column will contain one of the following values: Value Description A Alert – The alert was issued. B Blocked - The record was eligible for an ALERT but the parameter BLOCKALERTS was set to TRUE (refer to section 6.

PAGE 93

XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File Note: All Filter Definitions, including those with a STATUS of INACTIVE, will be checked for syntax errors. Use the XMA_FILTERS_CHECK macro to check the syntax in your FILTERS file. Syntax: XMA_FILTERS_CHECK [] The option to specify a filename allows you to create a temporary version of your FILTERS file that you can review and validate prior to moving it into production.

PAGE 94

XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File 3.3.8 Step 8. Test Your Alerts You can test to be sure that you have your EMS parameters, EMAIL parameters, SYSLOG parameters, and SNMP_TRAP parameters configured correctly. If the parameters are correct, XMA will send an “XMA Test Message” to the appropriate outlet.

PAGE 95

XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File 3.4.2 Including a File Syntax: #INCLUDE \... If you have large sets of keywords that are repeated in a number of Filter Definitions placing the information in a file enables you to quickly make changes. The file can be referenced in multiple places within a FILTERS file and be shared by XYGATE installations on multiple nodes. Example: #include \PROD.$SEC.XYGATEMA.

PAGE 96

XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File 3.4.3 Defining a Block of Text As an alternative to using the #INCLUDE option you may define a block of text within the FILTERS file. Syntax: #DEFINE_BEGIN ^ ... #DEFINE_END Example: #DEFINE_BEGIN ^EMAIL_COMMON_CONFIG ACTIONTYPE MAIL MAIL_SRV mail.server.com Mail_IPPROCESS $ZTC0 MAIL_FROM xma@prod.com MAIL_TO ops@company.

PAGE 97

XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File 3.4.

PAGE 98

XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File 3.5.1 Node-Conditional Operators A node-conditional operator defines how the specified node name will be evaluated. = An exact match between the individual node specified and the name of the node on which the xxACL file is being loaded. You can only specify an individual, nonwildcarded node name. If the names match, the conditional text will be evaluated for that product and node.

PAGE 99

XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File In Example 2 below, if the node name on which MOVER using this Filter is running begins with the characters "\PROD", then write a message to EMS when event matching the selection criteria are encountered. MOVERs running on other nodes that use this Filter will not write a message to EMS. All the MOVERs, regardless of node, will add “Priv action” to the USER_DATA column of the XMA database.

PAGE 100

XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File 3.6.2 Step 2. Submit an INFO PROCESS Then go into SCF and do an INFO PROCESS on the process name: \NSKIT06 $DATA08.XYPRO 1>scf SCF - T9082H01 - (04DEC06) (15NOV06) - 05/21/2008 09:48:22 System \NSKIT06 (C) 1986 Tandem (C) 2006 Hewlett Packard Development Company, L.P. (Invoking \NSKIT06.$DATA08.XYPRO.SCFCSTM) 1-> info process $ztn5,detail TELSERV Detailed Info PROCESS \NSKIT06.$ZTN5 PCPU................... PPIN.....

PAGE 101

XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File Why choose IPALERT? IPALERT actions send the audit data to the SIEM via UDP. IPALERT is required by some appliances such as the HP CLW appliance, which currently accepts only UDP syslog input. With the IPALERT action, each individual MOVER opens the outgoing PORT and sends the individual audit record that it is processing and then closes the PORT. Audit events cannot be easily resent. 3.7.

PAGE 102

XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File The ALERTSTRING keyword determines what information within an audit record will be sent to the SIEM. The default Filters are designed to send every column of every XYGATEMA data table to the SIEM in a preset order. Important! Do not change the order or the tokens defined in these Filters. SIEMS are programmed to parse these columns into their databases in the order defined in the default FILTERS file. 3.7.

PAGE 103

XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File 3.7.

PAGE 104

XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File 3.7.4 Troubleshooting Communication with SIEM Appliances This section will help you troubleshoot the NonStop (XYGATEMA) side of the communication with a SIEM appliance. 1. Verify that the IPALERT/SYSLOGQ Filter(s) Status is Active. Review the FILTERS file either on the NonStop server using XMA_EDIT_FILTERS (page 215) or with the XYGATE Configuration Manager GUI. 2.

PAGE 105

XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File 5. PING the SIEM. a. At TACL do info define * to look for the define for the current TCP/IP process. If the TCP/IP process is not the same as the one configured in the IPALERT/SYSLOGQ Filters, then set the define for your current session to the IPALERT/SYSLOGQ’s TCP/IP process. b. To change the DEFINE to point to the IPALERT/SYSLOGQ’s TCPIP process: $$DATA04.

PAGE 106

XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File The TFILTERS file contains a test version of the IPALERT Filter that, instead of sending the contents of the columns to the log warehouse, sends the Element (Token) Sequence numbers and Column titles so that the programmers can verify that the data is being parsed into the correct columns in their database.

PAGE 107

XYGATE Merged Audit® Reference Manual Chapter 3. Configuring Filters and the FILTERS File The Order and Contents of the Tokens Being Sent via IPALERT Filters ALERTSTRING @ E33 AUDIT.PRODUCTCODE Product code ALERTSTRING @ E34 AUDIT.SUBJECT_USERNUMBER_MAJOR Subject Group Number ALERTSTRING @ E35 AUDIT.SUBJECT_USERNUMBER_MINOR Subject User Number ALERTSTRING @ E36 AUDIT.TARGET_USERNUMBER_MAJOR Target Group Number ALERTSTRING @ E37 AUDIT.

PAGE 108

XYGATE Merged Audit® Reference Manual Chapter 3.

PAGE 109

Chapter 4. Generating Reports Using XRM The XYGATE Audit Report Manager (XRM) is a graphical user interface (GUI) tool for running host-based XYGATE report macros, including the Safeguard Reports product. This chapter describes only the procedures for generating reports from the XMA database. The complete reference for the XRM product is described in the XYGATE Configuration and Audit Reporting manual.

PAGE 110

XYGATE Merged Audit® Reference Manual Chapter 4. Generating Reports Using XRM Choose an option: A: B: C: D: E: F: G: H: I: J: K: L: M: N: O: P: Q: R: X: Z: ZP: Audit Subvolume :$SYSTEM.XMADAT Report date range :2010-07-09 00:00 to 2010-07-09 23:59 Subject Userid :*.* Subject Login Name :* Subject System :* Subject Terminal :* Object Type :* Object Name :* Operation :* Outcome (All,S,F,N) :ALL Output file :$S.#XYGATE.

PAGE 111

XYGATE Merged Audit® Reference Manual Chapter 4. Generating Reports Using XRM 4.3 Select by Date and/or Time Range You can limit the XMA report to a selected time period. Enter the start (“from”) date and end (“to”) dates in YYYY-MM-DD format. If the leading portion of a date is omitted, it will default to today’s date; that is, if today is 2010-12-13 and a date of 12 is entered, a date of 2010-12-12 will be used. Enter the start (“from”) and end (“to”) times in HH:MM format (24-hour format).

PAGE 112

XYGATE Merged Audit® Reference Manual Chapter 4. Generating Reports Using XRM 4.5 Select by Subject Login Name(s) The LOGIN NAME is either the HP NonStop group name.user name, or the Safeguard alias of the person performing the activity and accesses contained in the report. The default is the asterisk ( * ) to include all Login Names. Note: Login Names are case sensitive; you must use uppercase letters unless the object name you are searching for is an alias containing lowercase characters.

PAGE 113

XYGATE Merged Audit® Reference Manual Chapter 4. Generating Reports Using XRM Example 5: Selection? d Enter case sensitive login names separated by commas. A leading * on a login name will match any login names that contain the specified string. A trailing * will match any login names that start with the specified string. The NOT keyword can be used: NOT Login name < >? XYPRO.

PAGE 114

XYGATE Merged Audit® Reference Manual Chapter 4. Generating Reports Using XRM contain the specified string. A trailing * will match any terminals that start with the specified string. The NOT keyword can be used: NOT Terminal < >?#PTYJAC1 When the Report Selection Screen reappears, the selection you entered will be shown: F: 4.8 Subject Terminal :#PTYJAC1 Select Subject by Object Type You can limit a report to a single type of object.

PAGE 115

XYGATE Merged Audit® Reference Manual Chapter 4. Generating Reports Using XRM You can limit a report to one or more specific objects by entering the object name(s) in a comma-separated list. Note: There must not be any spaces before or after the comma. Example 1 finds all audit entries with the process $XSR as the object name. Example 1: $XSR Example 2 finds all audit entries with the process $XSR and $XYOP as the object names.

PAGE 116

XYGATE Merged Audit® Reference Manual Chapter 4. Generating Reports Using XRM 4.11 Select By Outcome All of the various outcome or result code fields that are used in the XYGATE products and SAFEGUARD have been mapped to one of three values: SUCCESS, NORECORD, and FAILURE. You can limit your report to a single outcome. To select the Outcome to include in the report, select J.

PAGE 117

XYGATE Merged Audit® Reference Manual Chapter 4. Generating Reports Using XRM 4.13 Select the Report’s Sort Order You may choose the report format that best suits your needs. XMA comes with the following sort options: USER,LOGINNAME,TIME,OBJECT,PORT. USER Audit entries are grouped by USERID AND BY TIME. LOGINNAME Audit entries are grouped by Login Name and by time. TIME Audit entries appear in strict chronological order. OBJECT Audit entries are grouped by OBJECT and by time.

PAGE 118

XYGATE Merged Audit® Reference Manual Chapter 4. Generating Reports Using XRM 4.15 Select by XYGATE Product Code You can limit your search to data from one or more XYGATE products. To specify one more products or SAFEGUARD select N. You may specify a group of products to include or exclude. Selection?n Enter Product Codes separated by commas. Enter a ? to display a list of product codes. You can specify XYGATE products as either XYGATExx or just xx. You can specify SAFEGUARD as S.

PAGE 119

XYGATE Merged Audit® Reference Manual Chapter 4. Generating Reports Using XRM 4.17 Select by Text in the Result Column You can limit your data by reporting based on the value in the RESULT column of the Audit Detail Table. Selection?p Enter case-sensitive results separated by commas. A leading * on a result will match any results that contain the specified string. A trailing * will match any results that start with the specified string.

PAGE 120

XYGATE Merged Audit® Reference Manual Chapter 4. Generating Reports Using XRM Run the Report and Go Directly into Peruse When you select ZP to create the report, XMA will generate the report and put you directly into PERUSE for the spool collector selected. Once you have examined, printed, or written the report to a file and typed EXIT, you will be returned to the XMA Report Selection Screen where your previous selection criteria are still in place. You can change the criteria and create another report.

PAGE 121

XYGATE Merged Audit® Reference Manual Chapter 4. Generating Reports Using XRM 4.21 Running Reports from Archived Tables It is possible to report from archived tables via the host macros. To do so the following defines must be added to the environment before running XMA_REPORT: Add define =xma_report_auddet_table, class map, file $vol.subvol.D##### Add define =xma_report_audses_table,class map, file $vol.subvol.S##### add define =xma_report_audlcind_table , class map,file $vol.subvol.

PAGE 122

XYGATE Merged Audit® Reference Manual Chapter 4.

PAGE 123

Chapter 5. Using XMA_MANAGER XMA_MANAGER is the NonStop host-based user interface to manage the XMA subsystem. Using this menu driven interface, a user can perform the following tasks: 5.1 • Configure the pathway and its components. • Monitor and manage the pathway and its components, including MOVERs (Serverclasses). • Manage Database Archiving and Cleanup. Introduction Before you can run XMA_MANAGER, you must attach the XMA TACL segment to your current TACL session.

PAGE 124

XYGATE Merged Audit® Reference Manual Chapter 5. Using XMA_MANAGER 5.3 The Pathway Management Menu Enter 1 at the Main Menu Selection? prompt (page 99) to display the Pathway Management Menu.

PAGE 125

XYGATE Merged Audit® Reference Manual Chapter 5. Using XMA_MANAGER 5.4 The Movers Management Menu Use the XMA_MANAGER Movers Management Menu to create and manage all the MOVER Serverclasses for a Pathway on local and remote nodes. Enter 2 at the Main Menu Selection? prompt (page 99) to display the Movers Management Menu shown below. Chapter 6, “Configuring MOVERs” starting on page 109 provides more information about the various MOVER management options.

PAGE 126

XYGATE Merged Audit® Reference Manual Chapter 5. Using XMA_MANAGER Option Selection Description 3: Info Use this option to display information for one MOVER Serverclass including the MOVER and Parameter table entries and the Pathway configuration. You can use this option to determine the last audit record that the MOVER processed. 4: Status Use this option to display the status of a single MOVER Serverclass, including its Pathway status and Database entries.

PAGE 127

XYGATE Merged Audit® Reference Manual Chapter 5. Using XMA_MANAGER Option Selection 12: Alter Database params Description Use this option to add, change or delete parameters within the appropriate parameter table for a single MOVER Serverclass. When you change database-related parameters for a MOVER Serverclass, you will be prompted to stop and restart the Serverclass so that the changes can take effect.

PAGE 128

XYGATE Merged Audit® Reference Manual Chapter 5. Using XMA_MANAGER Option Selection 5.5 Description 17: Configure mail queue server Use this option to configure the parameters required for the NonStop server to communicate with your email server. For more information regarding configuring and testing email alerts, refer to section 3.3.6 starting on page 54. 18: Configure SysLog Send server Use this option to read records inserted into the queue. The primary use is for off-box appliance storage.

PAGE 129

XYGATE Merged Audit® Reference Manual Chapter 5. Using XMA_MANAGER Menu Item Description 1: Update Statistics Use this option to initiate the SQL update statistics function for selected SQL tables within the XMA database. Periodically performing this function improves the performance of SQL queries. The pathway must be stopped before you can Update Statistics. For more information, refer to section 8.2 on page 151 of this chapter.

PAGE 130

XYGATE Merged Audit® Reference Manual Chapter 5. Using XMA_MANAGER Menu Item Description 14: Cleanup Syslog Queue Use to delete all records from SYSLOGQ table. 15: Auto Cleanup Syslog Queue Use to schedule a daily cleanup job for SYSLOGQ table by providing retention days for sent and notsent messages. 16: Auto Archive Setup Use this option to schedule the archive process to run monthly or weekly. In addition, archive parameters can be designated.

PAGE 131

XYGATE Merged Audit® Reference Manual Chapter 5. Using XMA_MANAGER 5.8 Running XMA_MANAGER as the XMA Owner XMA_MANAGER must be run as the XMA module’s owner ID. If you have XAC running on the system, add the following command to the ACACL file to make this easier: Sample XAC Command to run XMA_MANAGER as the appropriate ID COMMAND XMA_MANAGER !This command is designed for User who administer XMA. DESCRIPTION "Runs XMA_MANAGER as the XMA owner ID" USER ! OBJECT $SYSTEM.

PAGE 132

XYGATE Merged Audit® Reference Manual Chapter 5.

PAGE 133

Chapter 6. Configuring MOVERs MOVERs are the programs that read the product audit trails and move the records to the XMA database. Each MOVER reads a single audit trail, so that eventually you will have a minimum of one MOVER per product, per node. Chapter 5, “Using XMA_MANAGER” starting on page 99 provides instructions for using the XMA_MANAGER to manage the MOVERs. For example, if you have XAC on three nodes, you will have at least three XAC MOVERs.

PAGE 134

XYGATE Merged Audit® Reference Manual Chapter 6. Configuring MOVERs Though Collect-Only MOVERs do not generate alerts, audit events will still be checked against the FILTERS file and any record that would have generated an alert will be marked with a “C” in the alerted column. A value of “C” means “identified as an alert by a Collect-Only Serverclass.” The HKEEPER Serverclass is responsible for waking up the Collect-Only MOVERs. It considers the time window to be LCT on the master node.

PAGE 135

XYGATE Merged Audit® Reference Manual Chapter 6. Configuring MOVERs 6.1.4 Changing the MOVER Type If you wish to change a MOVER’s type, use Movers Management Menu, option 12: Alter Database params (page 101). Note: For the new configuration to take effect, you must stop (option 6) and restart (option 5) the Serverclass in the Movers Management Menu. If you change parameters, you will also be prompted to stop and restart the Serverclass. 6.1.

PAGE 136

XYGATE Merged Audit® Reference Manual Chapter 6. Configuring MOVERs Example 1: Sample default MOVER Serverclass names SFG-DEV1-01 XAC-DEV1-01 XPQ-DEV1-01 XUA-DEV1-01 EMS-PROD1-01 MM-PROD1-01 If a second Safeguard MOVER was added to \PROD1, XMA would assign the name SFG-DEV1-02, and so on. Choose the names for each MOVER Serverclass when you create it. You might want to use the name to indicate whether or not the MOVER is only alerting, only updating the database (“collecting”), or doing both.

PAGE 137

XYGATE Merged Audit® Reference Manual Chapter 6. Configuring MOVERs 6.2.2 XMA_MANAGER Navigation Hints Generally, you will select the menu option for the task you which to perform. This will, in most cases, display another numbered set of options. To alter the value for one of the options, select the letter and make the change. Once the options are correct, type R(un) to execute the task. Press X to return to the previous menu (or exit XMA_MANAGER). Press Ctrl+Y to a previous submenu.

PAGE 138

XYGATE Merged Audit® Reference Manual Chapter 6. Configuring MOVERs 4. Run the command file to create the MOVERs. Note: The XYGATESR object file, which is used to normalize Safeguard audit data for insertion into the XMA database, has an accompanying file called SRLIB which must be licensed on all nodes. A macro named REMFIN has been provided to help you with this process. You will be prompted to perform this task when you create remote Safeguard MOVERs.

PAGE 139

XYGATE Merged Audit® Reference Manual Chapter 6. Configuring MOVERs Note: Unless you do not wish to use the XMA database on the host at all, do not create Alert-Only MOVERs. Accept N. Please select an option : 1: Create a new command file 2: Load and run an existing command file X: Exit Note: If you select option 1, you will be prompted for a filename. Do not name the file “DISCOVER” because XMA will create a file of that name later in the process.

PAGE 140

XYGATE Merged Audit® Reference Manual Chapter 6. Configuring MOVERs Checking \PROD2.$SYSTEM.XYGATETR.P46F001 Selecting \PROD2.$SYSTEM.XYGATETR (XTR) ... Note: When the search is complete, you will see the following: Enter 'D' to discover new installations 'X' to exit and build command file ->x If you previously chose to “discover” on a single node, you may enter a new node name now and repeat the process. Otherwise, select X to exit search mode and build the command file.

PAGE 141

XYGATE Merged Audit® Reference Manual Chapter 6. Configuring MOVERs To start data collection from a specific date onwards, enter a date in the format yyyy-mm-dd. Enter value <-1>->10 Data collection start date will be set to 2008-05-20:00:00:00.000000. You must now decide if you want the MOVERs for products residing on the remote (non-master) nodes to run on the remote node or the local (master) node. If the MOVERs run on the remote node, they push the data to the XMA data tables via EXPAND.

PAGE 142

XYGATE Merged Audit® Reference Manual Chapter 6. Configuring MOVERs Enter N to save your input file so that it can be used at a later date. Enter Y to create the MOVERs created. This step may take awhile especially if this is the first time you are adding MOVER Serverclasses on a node, because the SQL catalog and the appropriate objects will be added and the program objects will be SQL compiled.

PAGE 143

XYGATE Merged Audit® Reference Manual Chapter 6. Configuring MOVERs Information regarding all the MOVER Serverclasses that are added will be stored in a file named DISCOVER in the XYGATEMA subvolume. This DISCOVER file cannot be used as a Command File. It is used by XMA and should not be altered. Note: The input file is deleted after use. If you wish to add additional MOVER Serverclasses using the Discovery option, you will have to create a new command input file.

PAGE 144

XYGATE Merged Audit® Reference Manual Chapter 6. Configuring MOVERs 6.4.1 House Keeping Server (HKEEPER) The House Keeping Server, HKEEPER and SYSLOG Send Server are automatically started when the pathway is started. The Serverclass named HKEEPER is responsible for waking up the Collect-Only MOVERs and shutting them down at the end of the Collection Window. This Serverclass is created automatically and is automatically started by the Pathway. The HKEEPER also starts the database cleanup. 6.4.

PAGE 145

XYGATE Merged Audit® Reference Manual Chapter 6. Configuring MOVERs 6.4.3 Syslog Send Server (SLSENDER) The SYSLOG MOVER will read records from an input queue and transmit the records to an off-box IP address and port via TCP/IP. The records can be added to the queue from the Safeguard, XYGATE, EMS, BASE24, HLR, ITP or Measure MOVERs. New Components: SLSENDER This is a MOVER Serverclass. It will be added automatically when the pathway is initially installed or upgraded.

PAGE 146

XYGATE Merged Audit® Reference Manual Chapter 6. Configuring MOVERs Option Selection Description 4: Max Wait for Socket to Close This parameter tells the program how long to wait on a close request before marking the connection closed. The default is 120 seconds. 5: Max Wait for Socket to Connect This parameter tells the program how long to wait to connect. The default is 180 seconds. 6: Max Number of Messages in a Connection Queue The default is 10 messages.

PAGE 147

XYGATE Merged Audit® Reference Manual Chapter 6. Configuring MOVERs Based on the terminal name, certain records will be excluded from the IP address resolution process. The terminals to be excluded are by program filename: TMIOP, VHS, ZHOME, NETBATCH, (deviceinfo check), XYGATETR and any invalid terminal name. Note: The IPRESLVR server will not be available until it is configured. Configuration is done via the with the Movers Management Menu, option 19 (page 101).

PAGE 148

XYGATE Merged Audit® Reference Manual Chapter 6. Configuring MOVERs 6.5 BASE24 MOVERs BASE24 writes its audits to two locations: • OMF File • EMS Log A BASE24 MOVER reads the OMF file, and an EMS MOVER reads the EMS log. BASE24 must be configured to audit changes to its user database and security configuration. The activities that can be logged are: logons, logoffs, and password changes. Auditing is stopped and started via Process Control window on the ACI Desktop user interface.

PAGE 149

XYGATE Merged Audit® Reference Manual Chapter 6. Configuring MOVERs The security-related BASE24 EMS messages have "ACI.XPSNCP" as the first part of the SSID. The SSID is placed in the AUDIT.OBJECTNAME column. You can use this to select security-related BASE24 events in Filters and reports. To capture the initialization of BASE24 audit logs, you should also look for EMS events with an SSID of "ACI.LOGDATER" to capture the audit log initialization messages. This is a PCI requirement. 6.

PAGE 150

XYGATE Merged Audit® Reference Manual Chapter 6. Configuring MOVERs /users/hlr/PS4JQ/: ls dpa_audit_20101106_000018.log dpa_audit_20101106_000028.log dpa_audit_20101106_000101.log dpa_audit_20101106_000111.log dpa_audit_20101106_000721.log dpa_audit_20101106_074444.log dpa_audit_20101106_091009.log dpa_audit_20101106_092558.log dpa_audit_20101106_094241.log dpa_audit_20101106_100023.log dpa_audit_20101106_104004.log dpa_audit_20101106_104208.log dpa_audit_20101108_083715.log dpa_audit_20101108_100434.

PAGE 151

XYGATE Merged Audit® Reference Manual Chapter 6. Configuring MOVERs 6.7 iTP Secure WebServer MOVERs The iTP Secure WebServer (ITP) runs in the OSS Space. The default audit file is in the Common Log Format (CLS). The default name and location is /usr/tandem/webserver/logs/access.log. If you are running on H-series or later, the previous audits are rolled over into the location /usr/tandem/webserver/logs/ArchiveLogs and are named access.log..

PAGE 152

XYGATE Merged Audit® Reference Manual Chapter 6. Configuring MOVERs XYGATEMA will validate that files matching the mask contain data in the expected format; the program cannot validate the path so be careful to enter the path correctly. If you create a Mover pointing at the wrong directory, you will have to delete and re-add the Mover using the correct path and file mask.

PAGE 153

XYGATE Merged Audit® Reference Manual Chapter 6. Configuring MOVERs 6.9 MOVER Parameters Prior to release 1.90 of XYGATE Merged Audit, MOVER Serverclass parameters were stored in the following tables: XYGATE Products = XMA_XYMVPARAMSTBL EMS = XMA_EMSMVPARAMSTBL HLR = XMA_PARAMSTBL Safeguard = XMA_SFMVPARAMSTBL Measure = XMA_MEASMVPARAMSTBL BASE24 = XMA_B24MVPARAMSTBL Starting with XMA release 1.90, all data will be stored in the PARAMS table (XMA_PARAMSTBL).

PAGE 154

XYGATE Merged Audit® Reference Manual Chapter 6. Configuring MOVERs BACKLOGAGE The BACKLOGAGE keyword is used in conjunction with the MAXCPUBUSYPCT value. These two keywords help ensure that XMA does not interfere with production processing during times of peak activity each MOVER Serverclass will examine CPU activity and ‘throttle down’ for short periods of time if necessary.

PAGE 155

XYGATE Merged Audit® Reference Manual Chapter 6. Configuring MOVERs EMSSENDERPROCESSLOOKUP {NONE| LOCALONLY |ALL} This parameter is used by EMS MOVER Serverclasses. It tells the MOVER whether or not it should get additional information about the process that sent the message to the EMS collector. NONE Never do a query for additional process information. ALL Always do a query for additional process information.

PAGE 156

XYGATE Merged Audit® Reference Manual Chapter 6. Configuring MOVERs MAXCPUBUSYPCT <%> So that XMA does not interfere with normal processing during times of peak activity, each MOVER Serverclass will examine CPU activity and ‘throttle down’ for short periods of time if necessary. This parameter is used in conjunction with BACKLOGAGE.

PAGE 157

XYGATE Merged Audit® Reference Manual Chapter 6. Configuring MOVERs SWAPVOL A MEASURE MOVER Serverclass utilizes this parameter. This must be a valid subvolume name. The default is the subvolume location of the MEASURE MOVER Serverclass object. 6.9.2 TMF Related Parameters There are two parameters used in controlling TMF processing. TRANSACTIONSIZE This parameter specifies the number of rows that will be processed within each TMF transaction. The default is 1000 rows.

PAGE 158

XYGATE Merged Audit® Reference Manual Chapter 6. Configuring MOVERs The MOVER Serverclass XAC-NODE1-HIST will process all audit records dated from January 1, 2007 through March 31, 2007. The MOVER Serverclass XAC NODE1-01 will process all audit records starting with data from April 1, 2007. Note: When gathering historical data, it is suggested that you set the parameter BLOCKALERTS to ON. Otherwise, the MOVERs would be generating ALERTS for ACTIONS that may have taken place months ago.

PAGE 159

Chapter 7. Safeguard Selection Criteria This chapter provides information about Safeguard audit records that will help you build useful Filters and reports for Safeguard events. 7.1 Safeguard OBJECTTYPEs You can use OBJECTTYPEs when you want to monitor access to a certain type of Safeguard object. For example, if you want to generate an ACTION when a Safeguard Global parameter is altered, choose AUDIT.OBJECTTYPE = SAFEGUARD-CONFIG.

PAGE 160

XYGATE Merged Audit® Reference Manual Chapter 7. Safeguard Selection Criteria Safeguard OBJECTTYPE Categorized by Type Category OBJECTTYPE OSS-related OSS-DISKFILE DIRECTORY OSS-FILESET PATH GROUP TTY COMMAND FIFO PROCESSGROUP SOCKET SYMLINK CONTROLLER GENERIC-CONFIG SHARED-SEGMENT SUBSYSTEM SYSTEM-DEVICE UNKNOWN Other — (Not all of these OBJECTTYPEs are actually in use in the Safeguard audit trails. Refer to the HP Safeguard manuals for more information.) 7.

PAGE 161

XYGATE Merged Audit® Reference Manual Chapter 7. Safeguard Selection Criteria What you Type: Add Alter Delete Logon What Safeguard puts in its Audit Trail: CREATE CHANGE PURGE VERIFYUSER Safeguard OPERATIONS Notes: VERIFYUSER This is the OPERATION that Safeguard writes in the audit record when it authenticates a user. AUTHENTICATE This is the OPERATION that Safeguard writes to the audit record when a product other than Safeguard authenticates a user.

PAGE 162

XYGATE Merged Audit® Reference Manual Chapter 7.

PAGE 163

XYGATE Merged Audit® Reference Manual Chapter 7. Safeguard Selection Criteria Safeguard OUTCOMEs and their Related Message Codes Category Safeguard OUTCOME Authentication-Related UserExpired UserFailed UserFrozen UserInvalid UserPwExpired UserPwInvalid UserValid 402 403 404 406 401 405 400 Warning is only present when Safeguard is in WARNING MODE. No Records represent an access attempt for an object that is not protected by Safeguard.

PAGE 164

XYGATE Merged Audit® Reference Manual Chapter 7. Safeguard Selection Criteria 2 3 4 5 DATA_SELECT_END !Ignore the redundant,uninformative OSS records: DATA_SELECT_BEGIN FILTERTYPE STRINGFILTER AUDIT.OPERATION = EXECUTE AUDIT.OBJECTTYPE LIKE "OSS-DISKFILE|DIRECTORY)" AUDIT.MESSAGEID LIKE "(52|55)" DATA_SELECT_END !Ignore the redundant,uninformative DISKFILE-PATTERN records: DATA_SELECT_BEGIN FILTERTYPE STRINGFILTER AUDIT.OBJECTTYPE = DISKFILE-PATTERN AUDIT.

PAGE 165

XYGATE Merged Audit® Reference Manual Chapter 7. Safeguard Selection Criteria 7.4 Safeguard MessageIDs Each Safeguard event generates a primary record and zero-to-many secondary records. These records are identified by the MESSAGEID. Safeguard MessageIDs Msg ID Record Type Description 51 Primary This record has useful info for just about everything except changes to user and object Protection Records.

PAGE 166

XYGATE Merged Audit® Reference Manual Chapter 7. Safeguard Selection Criteria If you want to send an email whenever a User, Alias, a Global, or any type of Protection Record is ADDED or DELETED, the AUDIT.RESULT column of the Primary Record will show you everything you need to know; that is, who CREATED/PURGED what record. So if you select just the AUDIT.MESSAGEID = 51 audit record to generate the email, the recipient will have useful information to work with.

PAGE 167

XYGATE Merged Audit® Reference Manual Chapter 7. Safeguard Selection Criteria Notice that you can avoid having to define each type of Protection Records individually by taking advantage of the fact that the OBJECTTYPE names of all Protection Records start with the letters ACL and using the LIKE operator so that you can wildcard the entry. 7.5 Safeguard EMS Error Messages These are from the Safeguard Operator Message manual. Item No.

PAGE 168

XYGATE Merged Audit® Reference Manual Chapter 7. Safeguard Selection Criteria Item No.

PAGE 169

Chapter 8. Maintaining the XMA Database The XMA SQL database should be managed by a knowledgeable Database Administrator. There are several tasks that should be performed at regularly scheduled intervals to prevent the data tables from filling up and to maintain the efficiencies of queries. These tasks are the following: 1. Remove obsolete Records by either Archive or Cleanup process (page 150). 2. Perform FUP Reloads (page 152). 3. Update Statistics (page 152). 4.

PAGE 170

XYGATE Merged Audit® Reference Manual Chapter 8. Maintaining the XMA Database The Archive and Cleanup processes will check Filters with MOVER paragraphs with the PRODUCT set to FILEMAINT. They will find the MOVER paragraph with an ACTIONTYPE of RETAIN and check the value of the RETAIN_DAYS or RETAIN_MONTHS keyword, and then process audit records in the XMA database that match the data selection criteria for the Filter accordingly. MOVERs ignore the FILEMAINT Filters.

PAGE 171

XYGATE Merged Audit® Reference Manual Chapter 8. Maintaining the XMA Database Example 1 below will cause XHE audit records for FTP accesses to a database containing cardholder data where the OPERATION is either GET or PUT to be retained for 5 years. If you want to perform another ACTION such as sending an email alert, you would need to add another Filter with the same selection criteria and MOVER = XYGATEHE.

PAGE 172

XYGATE Merged Audit® Reference Manual Chapter 8. Maintaining the XMA Database ACTIONTYPE RETAIN RETAIN_DAYS 3650 ! (365 x 10yrs) ACTION_END ACTIONCOLL_END FILTERDEFEND RETAIN_DAYS –1 - or - RETAIN_MONTHS -1 If you want to perform another ACTION, such as sending an email alert, you would have to add another Filter with the same selection criteria and MOVER = SAFEGUARD. 8.1.

PAGE 173

XYGATE Merged Audit® Reference Manual Chapter 8. Maintaining the XMA Database Option Selection Description 1: Archive Interval (M[ONTHLY]/W[EEKLY]/D[ISABLED]) Designate the frequency of the archive processing. 2: Auto Archive Start Date The first date the archive will run. 3: Auto Archive Start Time The time of day the archive will run. 4: Data retention Days before archiving The number of days to keep in the XMA database.

PAGE 174

XYGATE Merged Audit® Reference Manual Chapter 8. Maintaining the XMA Database [$..batarch == Process type -/*/###### [t_begin_dt] == Begin Date 00:00:00 == Begin Time [t_end_dt] == End Date 23:59:59 == End Time == Archive Location == Archive Description ] #unframed Deleting Obsolete Archives You can delete obsolete archive tables manually, using Database Management Menu, option 10 or 11. Refer to section 5.5, “The Database Management Menu” page 104.

PAGE 175

XYGATE Merged Audit® Reference Manual Chapter 8. Maintaining the XMA Database How to Change the Cleanup Options If you wish to change the cleanup options, use Database Management Menu, option 4: Auto cleanup setup. Refer to section 5.5, “The Database Management Menu” page 104. EXAMPLE: Changing the auto cleanup time Selection ? 4 Current cleanup settings : Data older than 9 days will be automatically cleaned up. Cleanup program will be launched at 14:00 daily.

PAGE 176

XYGATE Merged Audit® Reference Manual Chapter 8. Maintaining the XMA Database 8.2.1 Perform FUP Reloads FUP reloads regain space within the tables left by deleting old records. This procedure can be run while the Pathway is running. It should be performed at set time intervals such as once a week or once a month. Syntax: reload /out /

,deallocate Example 1: Sample obey file to reload the data tables reload /out $s.#xma.rld/ $SECURE.xmadat.auddet,deallocate reload /out $s.

PAGE 177

XYGATE Merged Audit® Reference Manual Chapter 8. Maintaining the XMA Database 8.3 Resizing the Data Tables The two tables in question are the Audit Session (AUDSESS) and Audit Detail (AUDDET) tables. Both of these tables also have indexes. These are the two tables that contain the consolidated audit information. 8.3.1 Default Table Sizes The default sizing for these tables as of v1.60 is as follows: AUDDET EXTENT (1024,1024) MAXEXTENTS 900 AUDSESS EXTENT (512,512) MAXEXTENTS 900 8.3.

PAGE 178

XYGATE Merged Audit® Reference Manual Chapter 8. Maintaining the XMA Database In chapter AUDSESS: EXTENT (1024,1024) MAXEXTENTS 900 In chapter AUDDET: EXTENT (2048,2048) MAXEXTENTS 900 Note: If the version of your SQL catalog is 3.50 or greater on all nodes, then these files can be type 2 files. 1. Copy the data from the existing tables to the new tables using the SQLCI LOAD command. Note: TMF auditing must be temporarily turned off for the new tables using the SQLCI ALTER TABLE command. 8.4 2.

PAGE 179

XYGATE Merged Audit® Reference Manual Chapter 8. Maintaining the XMA Database ALTER TABLE =XMA_AUDSESSIONTBL ADD PARTITION .XMADAT.AUDSESS FIRST KEY 2 WITH DATA MOVEMENT CATALOG $.XMACAT -- EXTENT (look at PARTITION Clause under SQL/MP Reference manual) -- MAXEXTENTS ; ALTER TABLE =XMA_AUDSESSIONTBL ADD PARTITION .XMADAT.AUDSESS FIRST KEY 101 WITH DATA MOVEMENT CATALOG $.

PAGE 180

XYGATE Merged Audit® Reference Manual Chapter 8.

PAGE 181

Chapter 9. Troubleshooting This chapter describes the XMAHELP functions and guides you through the steps to troubleshoot the following: 9.1 • NonStop (XMA) side of the communication with an audit logging appliance system. • Audit Log Warehouse Data Parsing. XMAHELP/XMA_HELP Displays information regarding the available XMA Macros. SYNTAX XMAHELP 9.1.1 XYMOVE Functions The program XYMOVE extracts information from the XYGATE product audit trails.

PAGE 182

XYGATE Merged Audit® Reference Manual Chapter 9. Troubleshooting 9.1.3 XYGATEVER XYMOVE Option Running XYMOVE with the XYGATEVER option provides a list of all supported XYGATE products and their associated minimum version required for XMA. It only lists a version again if the audit file layout has changed Syntax: RUN $..XYMOVE XYGATEVER Where: <$vol>. is the location of your XMA installation. Sample output from XYGATEVER 23> run $system.xygatema.xymove xygatever 23.. XMA 1.

PAGE 183

XYGATE Merged Audit® Reference Manual Chapter 9. Troubleshooting FILES DUPLICATED: 1 TEXT EDITOR - T9601H01 - (01MAY05) CURRENT FILE IS $DATA04.XYGATEMA.

PAGE 184

XYGATE Merged Audit® Reference Manual Chapter 9. Troubleshooting 9.2.3 Send a Test SYSLOG Message to the Log Warehouse Use the XMA_MANAGER to send a test message to the log warehouse system. (Refer to chapter Chapter 5, “Using XMA_MANAGER.”) 1. Logon as the XMA owner in order to run XMA_MANAGER. 2. Load the XMA TACL segment, start the XMA_MANAGER and select option 2: Movers. 3. To use the IPALERT message, select option 16: Test basic Alerts in the Movers Management Menu. (Refer to section 5.

PAGE 185

XYGATE Merged Audit® Reference Manual Chapter 9. Troubleshooting 9.2.4 1. PING the Log Warehouse System At TACL enter info define * to look for the define for the current TCPIP process. If the TCPIP process is not the same as the one configured in the IPALERT Filters, then set the define for your current session to the IPALERT’s TCPIP process. 2. Once you have done that, ping the log warehouse box to test the connection.

PAGE 186

XYGATE Merged Audit® Reference Manual Chapter 9.

PAGE 187

Appendix A: The MACONF File MACONF is an EDIT file that resides in the same volume and subvolume as the XYGATEMA object file. This file contains many of the configuration options that determine how XMA will run. The values are initially created by the install process. You may alter any of these values without re-installation except the MACRO_NAME. If you want to change this, you must re-install XMA.

PAGE 188

XYGATE Merged Audit® Reference Manual Appendix A: The MACONF File A3: COLLECTOR This keyword sets the name of the default spooler collector to use for report generation using the XMA_REPORT macro. The default value is $S. Syntax: COLLECTOR Example: COLLECTOR $S2 If this keyword is omitted from the MACONF file, the $S collector will be used as the default. A4: COMPANY_NAME This keyword sets the name of the installation.

PAGE 189

XYGATE Merged Audit® Reference Manual Appendix A: The MACONF File A6: MACRO_NAME The argument to the MACRO_NAME keyword is the name of the macro as specified at installation. This value is used for subsequent updates of the XMA product. This entry is required and will be created during installation. Syntax: MACRO_NAME Example: MACRO_NAME XMA Note: Because this macro name is built into the compiled TACLSEG for XMA, it will remain in effect until you re-install the software.

PAGE 190

XYGATE Merged Audit® Reference Manual Appendix A: The MACONF File A8: PERUSE_OBJECT This object filename will be used when the XMA_REPORT macro is instructed to start PERUSE. The object file defaults to the XYPRO XYGATESP product if present; otherwise, it will default to $SYSTEM.SYSTEM.PERUSE. Syntax: PERUSE_OBJECT <$processname> Example: PERUSE_OBJECT $SYSTEM.XYGATESP.PERUSE A9: PRIORITY This keyword is obsolete starting with XMA version 1.95. It is syntactically valid but ignored by the program.

PAGE 191

Appendix B: Administrative Tables The various processes within XMA use the Administrative tables and Data tables (described next in Appendix C:) to keep track of the MOVERs and what XYGATE product logs have been processed. The Administrative tables provide the means to configure MOVER Serverclasses and manage the data collection process. The most up-to-date information regarding the SQL tables can be found in the file NEWTBLS in your XMA installation subvolume.

PAGE 192

XYGATE Merged Audit® Reference Manual Appendix B: Administrative Tables B1: XYGATE MOVER Configuration Tables XYGATE MOVER Table =XMA_XYMVTBL The information in this table describes the Serverclass-to-XYGATE product relationship and the audit filename and location for that product.

PAGE 193

XYGATE Merged Audit® Reference Manual Appendix B: Administrative Tables B2: XYGATE MOVER State Tables The XYGATE MOVERs utilize the two tables below to track the current audit file and the date of the last record within the file that has been processed. This prevents the creation of duplicates. It also allows the MOVERs to “catch-up” if they have to be stopped and restarted.

PAGE 194

XYGATE Merged Audit® Reference Manual Appendix B: Administrative Tables XYGATE MOVER State Auxiliary Table =XMA_XYMVSTATEAUXTBL CREATE TABLE =XMA_XYMVSTATEAUXTBL (RECORDSTATEKEY TIMESTAMP DEFAULT CURRENT NOT NULL , XYGATENODE CHAR (8) NO DEFAULT NOT NULL , XYGATEVOLUME CHAR (8) NO DEFAULT NOT NULL , XYGATESUBVOLUME CHAR (8) NO DEFAULT NOT NULL , XYGATEPRODUCT CHAR (3) NO DEFAULT NOT NULL , ServerclassNAME CHAR (15) NO DEFAULT NOT NULL -- Refers to =XMA_XYMVSTATETBL , FILEBEGIN_LCT CHAR (26) NO DEFAULT NOT

PAGE 195

XYGATE Merged Audit® Reference Manual Appendix B: Administrative Tables B4: EMS MOVER Parameters Table =XMA_EMSMVPARAMSTBL As of release 1.90 of XYGATE Merged Audit this table will not be used. The data will be stored in the PARAMS table. When upgrading from a prior release, the data in the individual product tables will be converted and placed in the PARAMS table.

PAGE 196

XYGATE Merged Audit® Reference Manual Appendix B: Administrative Tables B6: MEASURE MOVER Tables There are three MEASURE MOVER Tables as described below. MEASURE MOVER Table =XMA_MEASMVTBL This table contains an entry for each MEASURE MOVER Serverclass.

PAGE 197

XYGATE Merged Audit® Reference Manual Appendix B: Administrative Tables MEASURE MOVER Processed Table =XMA_MEASMVPROCTBL The MEASURE MOVERs use this table to record information regarding previously collected MEASURE data. This prevents the creation of duplicates.

PAGE 198

XYGATE Merged Audit® Reference Manual Appendix B: Administrative Tables B9: SAFEGUARD MOVER State Tables The Safeguard MOVERs utilize the two tables below to track the current audit file and the date of the last record within the file that has been processed. This prevents the creation of duplicates. It also allows the MOVERs to “catch-up” if they have to be stopped and restarted.

PAGE 199

XYGATE Merged Audit® Reference Manual Appendix B: Administrative Tables SAFEGUARD State Auxiliary Table =XMA_SFGMVSTATEAUXTBL CREATE TABLE =XMA_SFGMVSTATEAUXTBL ( RECORDSTATEKEY TIMESTAMP DEFAULT CURRENT NOT NULL ,SFGNODE CHAR (8) NO DEFAULT ,ServerclassNAME CHAR (15) NO DEFAULT =XMA_SFGMVSTATETBL ,FILEBEGIN_GMT CHAR (26) NO DEFAULT record in the file ,FILEBEGIN_LCT CHAR (26) NO DEFAULT record in the file ,RECORDBEGINGMTTSTMP LARGEINT SIGNED NO DEFAULT record in this range in timestamp format ,RECORDENDGMT

PAGE 200

XYGATE Merged Audit® Reference Manual Appendix B: Administrative Tables B11: BASE24 Parameter Table As of release 1.90 of XYGATE Merged Audit this table will not be used. The data will be stored in the PARAMS table. When upgrading from a prior release, the data in the individual product tables will be converted and placed in the PARAMS table.

PAGE 201

XYGATE Merged Audit® Reference Manual Appendix B: Administrative Tables -- number of records processed from this file ,SESSIONTBLINSCOUNT LARGEINT SIGNED NO DEFAULT NOT NULL -- number of session table inserts done while processing records from ,AUDITTBLINSCOUNT LARGEINT SIGNED NO DEFAULT NOT NULL -- number of audit table inserts done while processing records from the ,AUDITFILENAME VARCHAR(40) NO DEFAULT NOT NULL -- Name of the audit trail enscribe file ,CURRENTFILESTATUS VARCHAR(256) NO DEFAULT NOT NULL -

PAGE 202

XYGATE Merged Audit® Reference Manual Appendix B: Administrative Tables B13: TCP/IP Syslog Tables This table is read by the SLSENDER program.

PAGE 203

XYGATE Merged Audit® Reference Manual Appendix B: Administrative Tables B16: HLR State Tables The HLR MOVERs utilize the two tables below to track the current audit file and the date of the last record within the file that has been processed. This prevents the creation of duplicates. It also allows the MOVERs to “catch-up” if they have to be stopped and restarted.

PAGE 204

XYGATE Merged Audit® Reference Manual Appendix B: Administrative Tables ,FILEBEGIN_LCT CHAR(26) NO DEFAULT -- yyyy-mm-dd hh:nn:ss.

PAGE 205

XYGATE Merged Audit® Reference Manual Appendix B: Administrative Tables B17: iTP Secure WebServer MOVER Table This table contains an entry for each iTP MOVER Serverclass.

PAGE 206

XYGATE Merged Audit® Reference Manual Appendix B: Administrative Tables B18: iTP Secure WebServer State Table The iTP MOVERs utilizes the table below to track the current audit file and the date of the last record within the file that has been processed. This prevents the creation of duplicates. It also allows the MOVERs to “catch-up” if they have to be stopped and restarted.

PAGE 207

XYGATE Merged Audit® Reference Manual Appendix B: Administrative Tables B19: ARCHIVE Tables There are two tables that are used to support the Archive process. The ARCHIVES Table tracks the status of all existing Archive sets. The ARCHIVE LOG Table contains audit data related to archive processing such as record counts. When an Archive set is deleted, the record for that ARCHIVEID will be deleted from the ARCHIVES Table. The deletion of the Archive set will be logged to the ARCHIVE LOG Table.

PAGE 208

XYGATE Merged Audit® Reference Manual Appendix B: Administrative Tables B20: PARAMS Table As of release 1.90 of XMA, all the Serverclasses share the PARAMS Table.

PAGE 209

Appendix C: Data Tables The data tables contain the audit data extracted from the XYGATE products, SAFEGUARD, and MEASURE. These tables also contain audit information from XMA processing. C1: File Partitioning Starting with XMA version 1.23, the AUDIT SESSION table and AUDIT DETAIL table now have a key that better lends itself to partitioning. The PARTITION key is the first column in the AUDIT SESSION table and AUDIT DETAIL table.

PAGE 210

XYGATE Merged Audit® Reference Manual Appendix C: Data Tables C3: Audit Installation Table =XMA_AUDINSTALLTBL This table is a cross-reference of PRODUCTCODE to PRODUCT INSTALLATION information. It is used to help identify the source installation for the data in the Audit Session Table.

PAGE 211

XYGATE Merged Audit® Reference Manual Appendix C: Data Tables C4: Audit Session Table =XMA_AUDSESSIONTBL The AUDIT SESSION TABLE ties together groups of records from a specific product and session. You will have one record in this table for each group of one or more records in the Audit Detail Table.

PAGE 212

XYGATE Merged Audit® Reference Manual Appendix C: Data Tables C5: Audit Detail Table =XMA_AUDITDETAILTBL These are the detail records with a particular session. There will be one or more related records tied together by an entry in the AUDIT SESSION TABLE.

PAGE 213

XYGATE Merged Audit® Reference Manual Appendix C: Data Tables -- Error codes, event codes, product specific codes -- Used to determine value in outcome , RULENAME VARCHAR (50) DEFAULT NULL -- Name of the rule used , RESULT VARCHAR (256) DEFAULT NULL -- Details about what happened ,USER_DATA VARCHAR(16) DEFAULT NULL -- reserved for future use , PRIMARY KEY (PARTITIONKEY,RECORDGMT,GMTSEQNO) XYPRO Technology Corporation 189 Proprietary and Confidential

PAGE 214

XYGATE Merged Audit® Reference Manual Appendix C: Data Tables XYPRO Technology Corporation 190 Proprietary and Confidential

PAGE 215

Appendix D: Sample Filters This Appendix provides some typical Filters. D1: Filter out $CMON’s “I’m Alive” Messages Because $CMON runs in the background, it periodically writes a message to its audit. Users frequently filter this message out of the XMA database. What makes these audit events unique is the OPERATION, so that is the only DATA selection criteria required. Example 1: FILTERDEFBEGIN $IGNORE.XCM.

PAGE 216

XYGATE Merged Audit® Reference Manual Appendix D: Sample Filters D2: Filter out XPC STATUS Commands Example 2 filters out XPC status commands because generally anyone can status any process and it is not a security risk and generates a lot of audit. What makes these audit events unique is the audit record type, which is recorded in the MESSAGEID column. Refer to the XYGATE Process Control (XPC) Reference Manual for more information.

PAGE 217

XYGATE Merged Audit® Reference Manual Appendix D: Sample Filters D3: Filter out Safeguard reading its own user database Example 3 filters out the audits of Safeguard itself reading the "USER and LUSER" files. Safeguard reads these file while ruling on every file access and every logon, which generates a lot of audit that is not useful. What makes these events unique is the combination of the MOVER, the OPERATION, and the subject userid.

PAGE 218

XYGATE Merged Audit® Reference Manual Appendix D: Sample Filters D4: Filter out Safeguard No Record Example 4 filters out the Safeguard access events with a result of No Record, which are indicated by the OUTCOME = 2. That is all the DATA selection criteria required. What makes these events unique is the combination of the MOVER and the OUTCOME.

PAGE 219

XYGATE Merged Audit® Reference Manual Appendix D: Sample Filters D5: Filter out XOS No Record Example 5 filters out the XOS access events with a result of No Record, which are indicated by the OUTCOME = 2. That is all the DATA selection criteria required. If you are using both Safeguard and XOS to protect files on your system, you could combine these two Filters by adding a second MOVER paragraph: one for Safeguard and one for XOS.

PAGE 220

XYGATE Merged Audit® Reference Manual Appendix D: Sample Filters D6: Filter out XOS What-if tests Example 6 $ out the XOS audit records generated by “What-if” testing. What makes these events unique is the TESTMODE column, which contains a Y(es) for What-if queries and a N(o) for actual rulings. That is all the DATA selection criteria required.

PAGE 221

XYGATE Merged Audit® Reference Manual Appendix D: Sample Filters D7: Alert for SUPER.SUPER’s password change via XPQ Example 7 generates an email alert whenever SUPER.SUPER’s password is changed using XPQ. What makes these events unique is the combination of the MOVER and the target user name. You could also use the AUDIT.OBJECTNAME column, in which case you would use: AUDIT.OBJECTNAME CONTAINS "SUPER.SUPER". Remember, the OBJECTNAME column contains both the userid and the user name.

PAGE 222

XYGATE Merged Audit® Reference Manual Appendix D: Sample Filters D8: Alert when someone logs directly on as SUPER.SUPER Example 8 generates an EMS message whenever anyone logs on directly as SUPER.SUPER. What makes these events unique is the target userid and the operation. As is, this Filter will capture all logons to SUPER.SUPER. If you only wanted to be alerted if someone logged on to SUPER.SUPER from a "not logged on TACL", you could comment out the SUBJECT_USERNUMBER lines.

PAGE 223

XYGATE Merged Audit® Reference Manual Appendix D: Sample Filters D9: Alert for XAC command containing "–255" Example 9 generates an EMS message whenever someone invokes an XAC COMMAND that contains the characters "-255". The EMS message will display the user’s logon name and the XAC command they invoked.

PAGE 224

XYGATE Merged Audit® Reference Manual Appendix D: Sample Filters D10: Selecting security-related BASE24 EMS events The security-related BASE24 EMS messages have "ACI.XPSNCP" as the first part of the SSID. These are the EMS messages generated by NCPCOM. The SSID is placed in the AUDIT.OBJECTNAME column. Use this to select security-related BASE24 events in Filters and reports. To capture the initialization of BASE24 audit logs, you should also look for EMS events with an SSID of "ACI.LOGDATER".

PAGE 225

XYGATE Merged Audit® Reference Manual Appendix D: Sample Filters D11: Selecting CLIM events CLIM Audits are forwarded to an EMS Collector on the NonStop named $ZCLA. The SSID for these records is TANDEM.CIP.H03. FILTERDEFBEGIN $CLIM-EVENTS != CLIM Events are sent to a collector != name $ZCLA on the NonStop STATUS ACTIVE ! $CLIM-EVENTS MOVER_BEGIN MOVER_SELECT_BEGIN PRODUCT = EMS MOVER_SELECT_END MOVER_END DATA_BEGIN DATA_SELECT_BEGIN FILTERTYPE STRINGFILTER Audit.objecttype LIKE ".*TANDEM.CIP.*" audit.

PAGE 226

XYGATE Merged Audit® Reference Manual Appendix D: Sample Filters XYPRO Technology Corporation 202 Proprietary and Confidential

PAGE 227

Appendix E: XMA Host Macros A set of macros is supplied with the XMA host software. The XMA macro is used to attach the XMA_SEG TACL segment that contains all the XMA macros. Syntax: RUN <\NODE>.<$vol>..XMA INSTALL Example: RUN \NODE1.$SYSTEM.XYGATEMA.XMA INSTALL XMA INSTALL attaches the XMA_SEG TACL segment to the user’s TACL. If the user already has the XMA_SEG TACL segment installed, it has no other effect.

PAGE 228

XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros E2: ARCMAC The macro ARCMAC has been provided so that the Archive process can be run automatically at an interval you determine. A sample macro file named ARCMAC has been placed in your XMA subvolume to help you use this macro. PROCESS TYPE has 3 options: -, *, and ##### - (dash) Creates a new set of Archive Tables. * (asterisk) Indicates that all stopped (incomplete) archive processes should be restarted.

PAGE 229

XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros E3: CLEANDB The CLEANDB macro runs the database cleanup program at a regularly scheduled interval. Unlike the ARCHIVE process, CLEANDB deletes records from the AUDIT SESSION and AUDIT DETAIL tables but it does not create ARCHIVE Tables. A sample macro file named CLEANMAC has been placed in your XMA subvolume to help you use the CLEANDB macro.

PAGE 230

XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros In this Example the start date is set to a date well in the past to pick up any “stray” records that might remain in the XMA database from long-running sessions. For the end date a value of 60 is specified, which from October 5, 2004 is calculated to be August 6, 2004. This removes all data older than 60 days from the database.

PAGE 231

XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros CATALOG .XMACAT -- EXTENT -- MAXEXTENTS ?Section auddetail ALTER TABLE =XMA_AUDITDETAILTBL ADD PARTITION .XMADAT.AUDDET FIRST KEY 1 WITH DATA MOVEMENT CATALOG .XMACAT -- EXTENT -- MAXEXTENTS ; ALTER TABLE =XMA_AUDITDETAILTBL ADD PARTITION .XMADAT.AUDDET FIRST KEY 2 WITH DATA MOVEMENT CATALOG .

PAGE 232

XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros E7: UPDSTAT This macro performs the update statistics function for your XMA SQL tables. Use this macro to run a regularly scheduled update via Netbatch. You do not have to make any changes to this file. Sample UPDSTAT File == routine to update statistics from a batch file ?tacl routine #frame [#if [#variableinfo /existence/ :XMA_seg] |then| == do not attach, already present |else|[#if [#fileinfo /existence/ $SECURE.XYGATEMA.

PAGE 233

XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros E8: XMA_AUDIT_REPORT XMA_AUDIT_REPORT is invoked by the XMA_REPORT macro described in Chapter 4. It generates an SQLCI report using the criteria selected with the Report Selection Pane. The XYGATE Configuration and Audit Reporting manual provides more information for these selection criteria. Refer to the chapter “XYGATE Audit Report Manager (XRM)” and look in the section “Design a Report.

PAGE 234

XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros object-type All or part of a valid Safeguard object type or * for all. object-name All or part of a valid object name or * for all. outcome ALL, SUCCESS, FAILURE, NORECORD. audit-file-name Location of your XMA tables ($volume.subvol). output-filename Spooler location and report name; for example: $S.#XYGATE.XMAREP sort-type USER, LOGIN NAME, OBJECT, TIME. operation A valid operation or * for all.

PAGE 235

XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros • The report is sorted by TIME • All (*) operations • Debug is set to off (0) • all (*) rulenames • all (*) product codes will be included • All alert types (ALL) • All (*) results will be included • All (*) message codes will be included • All (*) message ids will be included If desired, you can use the TACL ampersand ( & ) to separate command lines for legibility.

PAGE 236

XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros E9: XMA_COMPILE_FILTERS The XMA_COMPILE_FILTERS macro runs the FILTCOMP program which reads in the FILTERS file and outputs MACONFB, the compiled FILTERS file. SYNTAX XMA_COMPILE_FILTERS EXAMPLE 105>XMA_compile_filters Compiling \PROD.$SEC.XYGATEMA.FILTERS file in \PROD ... XYGATE Merged Audit 2.10 (c) 1999-2012 XYPRO XYPRO Technology \PROD Segment base address: 236650496 Segment size: 102400000 FILTERS CHECKSUM 1279280475 (\PROD.$SEC.

PAGE 237

XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros E10: XMA_DATETIME_MAKE The XMA_DATETIME_MAKE macro will calculate a date in the past equal to the entered. This macro can be used to calculate dates and create date ranges to include in a customized XMA report. For example, if you enter 7, the macro will calculate the date seven days prior to the current date. An entry of 30 or 31 would be one month into the past. You can enter up to 3000 days in the past.

PAGE 238

XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros The Letter T denotes TODAY. The following example will generate a report for the current day. Example: ?tacl macro #frame [#push t_t1 ] xma_datetime_make t #set t_t1 [xma_dt_year4]-[xma_dt_month]-[xma_dt_day] 00:00 xma_datetime_make t #set t_t1 [t_t1] [xma_dt_year4]-[xma_dt_month]-[xma_dt_day] 23:59 [xma_audit_report [t_t1] == date range *.* == user == login name == terminal == system == objecttype == object name ALL == outcome $DATA.

PAGE 239

XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros E12: XMA_EDIT_FILTERS The XMA_EDIT_FILTERS macro allows the user to edit a duplicate copy of the FILTERS file and then load it into production. Syntax XMA_EDIT_FILTERS Example XMA_EDIT_FILTERS $SECURE XYGATEMA 16> xma_edit_FILTERs This file edits the current XYGATE-ACCESS-CONTROL access control list. It will create a file named $SYSTEM.XYGATEMA.NEWFILT from the current $SYSTEM.XYGATEMA.FILTERS file. These are your old $SYSTEM.XYGATEMA.

PAGE 240

XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros Note: A MOVER Serverclass reads in the FILTERS file at start-up time. If a syntax error is encountered when the MOVER Serverclass object is in the process of starting, an error message is displayed and the MOVER Serverclass will ABEND. After updating your FILTERS file, there is no need to stop and restart the server processes.

PAGE 241

XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros In Example 3 below the filename oldflt0 was specified. In this case an error was found on line 16. OVER_BEGIN should have been MOVER_BEGIN. Once this is corrected, line 16 and the associated lines 17 through 20 will no longer be displayed as an error. This is because the keywords MOVER_END and MOVER_BEGIN define a set of MOVER selection criteria.

PAGE 242

XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros E14: XMA_INSTALL_LICENSE The XMA_INSTALL_LICENSE macro allows the XMA security administrator to check on a newly received license file and optionally load it to P28F001 on the volume and subvolume where XMA is installed. If you choose to load the new license, XMA renames the current license file (at the red arrow below) out of the way and moves the new license into place.

PAGE 243

XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros E15: XMA_LOAD_DEFINES The XMA_LOAD_DEFINES macro loads the DEFINES for your SQL Database. Example Load Defines: 17> xma_load_defines Adding MA DATABASE defines ... Deleting MA DATABASE defines ...

PAGE 244

XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros E18: XMA_NETWORK_VERSION The XMA_NETWORK_VERSION macro is a network version of the XMA_VERSION macro. When executed, XMA_NETWORK_VERSION will compare the programs in the main XMA subvolume against the programs on the remote nodes. The license files will also be checked. If expired licenses or out-of-sync modules are discovered, a message will be displayed.

PAGE 245

XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros E20: XMA_PWCOOL Restart your XMA Pathway with the configuration it had when you last shut it down. Refer to XMA_PWCOLD above. E21: XMA_PWSTOP Freezes and stops your Serverclasses and stops the PATHMON process using the PATHCOM shutdown command. It also saves your Pathway configuration information in the PWSTATE file. The information in the PWSTATE file is used when restarting your Pathway.

PAGE 246

XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros Running $system.system.sqlcomp /in $SECURE.XYGATEMA.SFGMOVE, out $SECURE.XMADAT.DBOUT / catalog $SECURE.XMACAT SQLComping EMSMOVE .. Running $system.system.sqlcomp /in $SECURE.XYGATEMA.EMSMOVE, out $SECURE.XMADAT.DBOUT / catalog $SECURE.XMACAT SQLComping XYGATEMA .. Running $system.system.sqlcomp /in $SECURE.XYGATEMA.XYGATEMA, out $SECURE.XMADAT.DBOU T/ catalog $SECURE.XMACAT SQLComping ARCHIVE .. Running $system.system.sqlcomp /in $SECURE.

PAGE 247

XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros E24: XMA_SYNTAX_CHECK The syntax check macro will perform a syntax check on the FILTERS file if all three filenames are specified. If you do not specify any filenames, only the files called MACONF and MAACL will be examined. If you only want to check the FILTERS file, use the XMA_FILTERS_CHECK macro instead.

PAGE 248

XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros E25: XMA_UPDATE_FILTERS The XMA_UPDATE_FILTERS macro installs the NEWFILT file into production by renaming the current FILTERS file to OLDFLT and renaming NEWFILT as FILTERS. Syntax xma_update_FILTERs In Example 1 below the XMA_UPDATE_FILTERS macro looks for the file NEWFILT. If it is present, the production FILTERS file is renamed to OLDFLT2, and the file NEWFILT is renamed to FILTERS.

PAGE 249

XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros E26: XMA_VERSION The XMA_VERSION macro displays the version and license information for your XMA installation on the Master node. The macro XMA_NETWORK_VERSION described in Appendix E18: performs the same function for the remote (Child) nodes. $SECURE XYGATEMA 3> xma_version This is version 2.

PAGE 250

XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros E27: XMA_VOLUME The XMA_VOLUME macro takes you to your XMA installation subvolume.

PAGE 251

Appendix F: TCLEXC The structures below are used when the DATAFILTERTYPE = MACROFILTER is specified. The data in this structure is also available for use when the ALERT option RUNCMD is specified. This information is contained in the file TCLEXC in your Parent XMA installation subvolume.

PAGE 252

XYGATE Merged Audit® Reference Manual Appendix F: TCLEXC End; == Definition MASESSION created on 05/09/2012 at 14:10 ?Section MASESSION Struct Begin STRUCT RECORDSESSIONKEY; BEGIN CHAR BYTE(0:25); END; STRUCT RECORDINSTALLKEY; BEGIN CHAR BYTE(0:25); END; STRUCT SESSIONID; BEGIN CHAR BYTE(0:35); END; CHAR FOUNDSESSIONSTART; CHAR FOUNDSESSIONEND; STRUCT IPADDRV46; Begin INT INDICATOR; STRUCT VALU; BEGIN CHAR BYTE(0:45); END; End; STRUCT SESSIONNAME; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL

PAGE 253

XYGATE Merged Audit® Reference Manual Appendix F: TCLEXC STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:49); END; End; End; STRUCT DNSNAME; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:99); END; End; End; STRUCT CLIENTCURRDIR; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:199); END; End; End; End; == Definition MAAUDIT created on 05/09/2012 at 14:10 ?Section MAAUDIT Struct Begin STRUCT RECORDGMT; BEGIN CHAR BYTE(0:25); END; STRUC

PAGE 254

XYGATE Merged Audit® Reference Manual Appendix F: TCLEXC Begin INT INDICATOR; STRUCT VALU; BEGIN CHAR BYTE(0:7); END; End; STRUCT TARGET^USERNUMBER^MAJOR; Begin INT INDICATOR; STRUCT VALU; BEGIN CHAR BYTE(0:7); END; End; STRUCT TARGET^USERNUMBER^MINOR; Begin INT INDICATOR; STRUCT VALU; BEGIN CHAR BYTE(0:7); END; End; STRUCT SUBJECTLOGIN; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:39); END; End; End; STRUCT SUBJECTSYSTEM; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; S

PAGE 255

XYGATE Merged Audit® Reference Manual Appendix F: TCLEXC Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:199); END; End; End; STRUCT OPERATION; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:127); END; End; End; STRUCT TERMINAL; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:63); END; End; End; STRUCT MESSAGEID; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:19); END; End; End; STRUCT MESSAGECODE; Begin INT INDICAT

PAGE 256

XYGATE Merged Audit® Reference Manual Appendix F: TCLEXC INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:255); END; End; End; STRUCT USER^DATA; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:15); END; End; End; End; == Definition TACLCMD created on 05/09/2012 at 14:10 ?Section TACLCMD Struct Begin STRUCT RUNMODE; BEGIN CHAR BYTE(0:9); END; STRUCT COMMAND; BEGIN CHAR BYTE(0:511); END; STRUCT PRODUCT; Begin STRUCT PRODUCTCODE; BEGIN CHAR BYTE(0:9); END; STRUCT PRODUCTNAME; Begin INT LE

PAGE 257

XYGATE Merged Audit® Reference Manual Appendix F: TCLEXC STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:99); END; End; End; End; STRUCT SESSION; Begin STRUCT RECORDSESSIONKEY; BEGIN CHAR BYTE(0:25); END; STRUCT RECORDINSTALLKEY; BEGIN CHAR BYTE(0:25); END; STRUCT SESSIONID; BEGIN CHAR BYTE(0:35); END; CHAR FOUNDSESSIONSTART; CHAR FOUNDSESSIONEND; STRUCT IPADDRV46; Begin INT INDICATOR; STRUCT VALU; BEGIN CHAR BYTE(0:45); END; End; STRUCT SESSIONNAME; Begin INT INDICATOR; STRUCT VALU; Begin INT LE

PAGE 258

XYGATE Merged Audit® Reference Manual Appendix F: TCLEXC BEGIN CHAR BYTE(0:49); END; End; End; STRUCT ANCESTORPROCESSTHREADID; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:49); END; End; End; STRUCT DNSNAME; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:99); END; End; End; STRUCT CLIENTCURRDIR; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:199); END; End; End; End; STRUCT AUDIT; Begin STRUCT RECORDGMT; BEGIN

PAGE 259

XYGATE Merged Audit® Reference Manual Appendix F: TCLEXC INT INDICATOR; STRUCT VALU; BEGIN CHAR BYTE(0:7); END; End; STRUCT SUBJECT^USERNUMBER^MINOR; Begin INT INDICATOR; STRUCT VALU; BEGIN CHAR BYTE(0:7); END; End; STRUCT TARGET^USERNUMBER^MAJOR; Begin INT INDICATOR; STRUCT VALU; BEGIN CHAR BYTE(0:7); END; End; STRUCT TARGET^USERNUMBER^MINOR; Begin INT INDICATOR; STRUCT VALU; BEGIN CHAR BYTE(0:7); END; End; STRUCT SUBJECTLOGIN; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0

PAGE 260

XYGATE Merged Audit® Reference Manual Appendix F: TCLEXC End; STRUCT OBJECTNAME; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:199); END; End; End; STRUCT OPERATION; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:127); END; End; End; STRUCT TERMINAL; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:63); END; End; End; STRUCT MESSAGEID; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0

PAGE 261

XYGATE Merged Audit® Reference Manual Appendix F: TCLEXC STRUCT RESULT; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:255); END; End; End; STRUCT USER^DATA; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:15); END; End; End; End; End; == Definition TACLRSP created on 05/09/2012 at 14:10 ?Section TACLRSP Struct Begin STRUCT EYECATCHER; BEGIN CHAR BYTE(0:9); END; STRUCT RESULT; BEGIN CHAR BYTE(0:9); END; STRUCT DIAGNOSTICS; BEGIN CHAR BYTE(0:511

PAGE 262

XYGATE Merged Audit® Reference Manual Appendix F: TCLEXC XYPRO Technology Corporation 238 Proprietary and Confidential

PAGE 263

Appendix G: Data Mapping Data Selection Criteria is used to select audit events based on the contents of the normalized audit data record. Every column that is utilized for a given target product is available for generating an ACTION in a Filter. Data selection criteria is based entirely on the product whose audit trail the MOVER is reading.

PAGE 264

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G1: General Notes on Data Mapping Columns These notes apply to all of the products. Notes unique to a particular product’s audit trail are included with the product’s data mapping tables. General Note 1 The value in the PARTITIONKEY column of both the Audit Detail (AUDDET) and Audit Session (AUDSESS) tables is assigned during processing. If the AUDDET and AUDSESS are not partitioned, the partition key will be set to a value of 2.

PAGE 265

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping General Note 4: The ALERTED Column will contain one of the following values: A ALERT Issued B Blocked the record was eligible for and ALERT but the parameter BLOCKALERTS is set to TRUE (refer to section 6.9, “MOVER Parameters” on page 129 for more information).

PAGE 266

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G2: Column Descriptions This table shows the contents of the columns. Refer to the individual product tables for the product-specific details. Column Type Description SESSION.RECORDSESSIONKEY timestamp Unique timestamp created when the first session row is inserted into the XMA database. SESSION.RECORDINSTALLKEY timestamp Links to the INSTALL.RECORDINSTALLKEY. SESSION.

PAGE 267

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping Column Type Description INSTALL.IPADDRV46 Char 46 IP address of the NonStop server node where the product (XAC, SFG, etc.) that generated the event is running (therefore, the node where the event occurred). INSTALL.SYSTEMNAME Varchar 64 The NonStop server node where the product that generated the event is running. INSTALL.LOCATION Varchar 200 The installation subvolume of the product (XAC, B24, etc.

PAGE 268

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping Column Type Description AUDIT.ALERTED Char 1 One character indicating whether or not XMA generated an alert when it processed the event. See General Note 4 on page 241 above. AUDIT.PRODUCTCODE varchar 10 The product (XAC, SFG, etc) that generated the audit record (links to INSTALL.PRODUCTCODE). AUDIT.

PAGE 269

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G3: How to Use the Data Mapping Tables The following illustration is a “key” to interpreting the data mapping for all the different sources of data that go into the XMA database. For example, if you are looking at the SAFEGUARD data mapping, this illustration will help you understand how to interpret the information provided.

PAGE 270

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G4: BASE24 Data Mapping BASE24 Audit Detail Table Column Type Record Contents PARTITIONKEY See General Note 1, pg 240. numeric 4 MOVER Generated RECORDGMT See General Note 2.

PAGE 271

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping BASE24 Note 1 The OBJECTNAME for files is determined by matching the numeric value in audit log to the description in the OMFOBJT file found in the XYGATEMA subvolume. If you have customized your OMFOBJT file, you should replace the file in the XYGATEMA subvolume with a copy of your file.

PAGE 272

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping BASE24 Note 4 When the OBJECTTYPE = USER and the OPERATION = CHANGE, it represents a change to the SEC file.

PAGE 273

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G5: BASE24-eps Data Mapping BASE24-eps Audit Detail Table Column Type PARTITIONKEY See General Note 1, pg 240. numeric 4 RECORDGMT See General Note 2. timestamp GMTSEQNO char 2 MOVER Generated RECORDLCT timestamp AudtEntryTm RECORDAUDITKEY timestamp MOVER Generated RECORDSESSIONKEY timestamp MOVER Generated SEQNO char 9 OUTCOME See General Note 3.

PAGE 274

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping Mapping Notes File Structure: The UALOGD file contains records that consist of two parts. The first part is a fixedlength area containing fixed-length fields. The second part is a large buffer containing data in XML format. Information is being extracted from this data and used to populate columns in the XMA database. The data mapping notes below will include the appropriate XML Tags.

PAGE 275

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping Operation = Update: value value name AUDDET.RESULT Column name changed from before value to after value Example: Column: pin_chg_dat changed from 6C to 00 Operation = Delete: name value AUDDET.RESULT Column name value Example: Column encrypt_chk_values E50668 AUDDET.

PAGE 276

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping BASE24-eps Audit Session Table Column Type Record Contents PARTITIONKEY. numeric 4 MOVER Generated RECORDSESSIONKEY timestamp MOVER Generated RECORDINSTALLKEY timestamp MOVER Generated SESSIONID char 36 See BASE24-eps Note 7.

PAGE 277

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping Reference: BASE24-eps Audit Log Record audit. FILE is ualogd KEY-SEQUENCED. 02 seq1 type 02 seq2 type 02 PRIKEY. 03 UserID 03 AudtEntryTm Type 03 AudtEntryId 03 AudtEntrySeqNum 03 AudtSeqNum 03 AudtEntryTm1 02 02 02 02 02 02 02 02 02 02 UserID1 AudtEntryId1 seq3 seq4 Datasrc AudtEntryType SrvcID Flag AppIdFnd AudtEntryDetl type type Type type type BINARY 16. BINARY 16. PIC X(50). BINARY 16 OCCURS 4 TIMES. PIC X(20). BINARY 16. BINARY 16.

PAGE 278

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G6: HLR Data Mapping HLR Audit Detail Table Column Type Record Contents PARTITIONKEY See General Note 1, pg 240. numeric 4 MOVER Generated RECORDGMT See General Note 2. timestamp MOVER Generated (the GMT time equivalent of AUDIT.RECORDLCT). GMTSEQNO char 2 MOVER Generated RECORDLCT timestamp Date-time (the Local time that the audit event occurred (as recorded in the HLR audit trail).

PAGE 279

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping HLR Audit Detail Table Column Type Record Contents OPERATION-Activity varchar 128 The DPA Command: ADD, READ, DELETE, UPDATE, CHANGEKEY, LOGON, LOGOFF, GETSESSIONINFO. TERMINAL varchar 64 MESSAGEID varchar 20 The DPA Target:Name, which indicates the subtype of object being changed: USERID, MKEY, KEY. See HLR Note 1. MESSAGECODE varchar 20 The DPA ResultCode, or the message ; See HLR Notes 2 and 6.

PAGE 280

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping HLR Note 1 – DPA Entity-Type The entity being manipulated. The most common values are: USER, GSUB, SIM, or CGSUB Processing Based on Entity Type: Entity-Type = User (Indicates a logon, logoff, or a change to DPA userid) DPA Identifier Value Notes XMA Column EntityType= USER Entity Type being manipulated AUDIT.OBJECTTYPE Name= USERID Type of obj being manipulated AUDIT.

PAGE 281

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping Entity-Type = GSUB, CGSUB, or SIM (Indicates that a cell phone account is being manipulated) DPA Identifier Value Notes XMA Column EntityType= GSUB, SIM, CGSUB Entity Type being manipulated AUDIT.OBJECTTYPE Name= KEY Type of object being manipulated AUDIT.MESSAGEID User= Indicates the DPA userid that is making the change. AUDIT.SUBJECTLOGIN Command= DPA Command= Operation performed AUDIT.

PAGE 282

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping HLR Note 2 - DPA Message The DPA "Messages" are error messages and are only present when DPA ResultCode equals –1. The HLR MOVER processes messages as shown in the following table: DPA Identifier DPA Message= DPA ResultCode= Value Notes XMA Column Domain= The “part” of the record that got the error Id= The error number = Error description AUDIT.RESULT The word "TEXT" AUDIT.RULENAME –1 = fail 0 = success AUDIT.

PAGE 283

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping HLR Note 5 – "Select-Params" The Select Params are: • ALT-IMSI-DIGITS • GSM-O-CSI-ACTIVE • ECMN-SMS-CSI-ACTIVE • CLIR-AUTH • CLIP-ACT When any of the select-params are present in an audit record: • A new row is created that includes only the select param(s) and their values (0 or 1) as a comma-separated list. • This "special" row will have the word "FLAG" placed in the AUDIT.RULENAME column.

PAGE 284

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping HLR Note 7 The entry in the AUDIT.RULENAME column indicates the type of data in the AUDIT.RESULT column for the record. AUDIT.RULENAME AUDIT.RESULT TEXT Error description PARAM Property String FLAG Sensitive Param(s) only HLR Audit Session Table Column Type Record Contents PARTITIONKEY See General Note 1, pg 240.

PAGE 285

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G7: EMS Data Mapping EMS Audit Detail Table Column Type Record Contents PARTITIONKEY See General Note 1, pg 240. numeric(4) MOVER Generated RECORDGMT See General Note 2.

PAGE 286

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping EMS Note 1 A) For SUBJECT_USERNUMBER_MAJOR and SUBJECT_USERNUMBER_MINOR: 1. If ZEMS_TKN_PROC_DESC is equal to ZEMS_TKN_XSENDERID_PD in the event, then the generator of the event is the same as the reporter of the event, and ZEMS_TKN_USERID will be used. 2.

PAGE 287

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping EMS Note 4 The CLIENTPROGRAM column will be updated based on the value of the parameter EMSSENDERPROCESSLOOKUP: • EMSSENDERPROCESSLOOKUP = None The MOVER will not look up the client program so CLIENTPROGRAM will be "NULL". • EMSSENDERPROCESSLOOKUP = ALL The MOVER will look up the client program and update the column.

PAGE 288

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping Special Processing for BASE24 EMS Audits The EMS MOVER parses messages from BASE24 differently: Table and Column EMS MOVER AUDIT.PRODUCTCODE Fill in the text "BASE24 EMS" AUDIT.SUBJECTLOGIN Base24 username or user number AUDIT.TARGETLOGIN Contents of the Base24 ID’s SEC record ALIAS field AUDIT.OBJECTTYPE OBJECTTYPE (e.g., PROCESS, DEVICE, STATION, LINK, etc.) AUDIT.OBJECTNAME For XPSNCPI = the object named in the RESULT.

PAGE 289

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping Special Processing for ODBC/MX Audits The SEQNO and OPERATION field contain special values for SQL/MX records. SEQNO 000000000 denotes the beginning of the SQL/MX Session 999999999 denotes the end of the SQL/MX Session Operation The values in the OPERATION column vary depending on the ODBC/MX configuration.

PAGE 290

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping Special Processing for CLIM The EMS MOVER parses messages from CLIMs differently as outlined in the following table: TABLE.COLUMN AUDIT.OBJECTTYPE SSID AUDIT.OPERATION CLIM-ACCEPT-PUBKEY, CLIM-OPEN-SESSION, CLIM-CLOSE-SESSION, CLIM-DISCONNECT AUDIT.MESSAGECODE PORT Process + Terminal AUDIT.TERMINAL AUDIT.RULENAME CLIM name SESSION.SESSIONID Processed + timestamp SESSION.

PAGE 291

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping Special Processing for XYGATE SSH Encryption (SSH) The EMS MOVER parses AUTHENTICATION messages from XSH as outlined in the following table.

PAGE 292

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G8: iTP Secure WebServer Mapping iTP Secure WebServer Audit Detail Table Column Type Record Contents PARTITIONKEY. numeric 4 RECORDGMT See General Note 2. timestamp GMTSEQNO char 2 MOVER Generated RECORDLCT timestamp time RECORDAUDITKEY timestamp MOVER Generated RECORDSESSIONKEY timestamp MOVER Generated SEQNO char 9 OUTCOME See General Note 3.

PAGE 293

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping iTP Secure WebServer Audit Detail Table Column Type FOUNDSESSIONSTART char 1 FOUNDSESSIONEND char 1 SESSIONNAME varchar 40 PROCESSTHREADID varchar 50 PROCESSTHREADID2 varchar 50 CLIENTPROGRAM varchar 50 ANCESTORPROCESSTHREADID varchar 50 IPADDRV46 char 46 Web client if ipaddress DNSNAME varchar 100 Web Client if FQDN CLIENTCURRDIR varchar 200 XYPRO Technology Corporation 269 Record Contents Proprietary and Confidentia

PAGE 294

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G9: Measure Data Mapping MEASURE Audit Detail Table Column Type Record Contents PARTITIONKEY See General Note 1, pg 240. numeric 4 RECORDGMT See General Note 2. timestamp GMTSEQNO char 2 MOVER Generated RECORDLCT timestamp Creation time RECORDAUDITKEY timestamp MOVER Generated RECORDSESSIONKEY timestamp MOVER Generated SEQNO char 9 System Generated OUTCOME See General Note 3.

PAGE 295

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping MEASURE Audit Session Table Column Type PARTITIONKEY See General Note 1, pg 240.

PAGE 296

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G11: Safeguard Data Mapping Refer to Chapter 7, “Safeguard Selection Criteria” starting on page 135 for more information. SAFEGUARD Audit Detail Table Column Type PARTITIONKEY See General Note 1, pg 240. numeric 4 RECORDGMT See General Note 2.

PAGE 297

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping SFG Note 1 The data extracted from the SAFEGUARD audit logs is the same data extracted by XSR SFG Note 2 The SEQNO is set as follows: • The primary record will be assigned a sequence number of 1. • Subsequent records will be assigned a sequence number of 2. • The actual value from the field rec-type will be in the MESSAGEID column. • Refer to section 7.4, “Safeguard MessageIDs” on page 141 for more information on Safeguard MESSAGEIDs.

PAGE 298

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G12: XYGATE Access Control (XAC) Data Mapping XAC Audit Detail Table Column Type XAC-I XAC-O XAC-E XAC-C PARTITIONKEY See General Note 1, pg 240. numeric(4) MOVER Generated RECORDGMT See General Note 2.

PAGE 299

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping XAC Note 1 For XAC, the MESSAGECODE column shows whether or not the XAC command was executed successfully. If the field is blank, the OUTCOME is converted to a 1 (Success). If there is any text in the field (that is, any error/denial messages), the OUTCOME is converted to a 3 (Fail). The text of the message is placed in the RESULT column. XAC Note 2 The RESULT column contains the text description associated with the value in the OUTCOME column.

PAGE 300

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G13: XYGATE Supported CMON (XCM) Data Mapping XCM Audit Detail Table Column Type PARTITIONKEY See General Note 1, pg 240. numeric 4 RECORDGMT See General Note 2. timestamp GMTSEQNO char 2 MOVER Generated RECORDLCT timestamp Date-time RECORDAUDITKEY timestamp MOVER Generated RECORDSESSIONKEY timestamp MOVER Generated SEQNO char 9 Sequence-number OUTCOME See General Note 3. char 1 See XCM Note 1.

PAGE 301

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping XCM Note 1 For XCM, the possible MESSAGECODES are: • R" ", which translates to an OUTCOME of 1 (Success) • D(eny), which translates to an OUTCOME of 3 (Fail) XCM Note 2 The OBJECTTYPE and OBJECTNAME columns will be updated based on the data in the OPERATION column (activity-type) in the XCM audit record as shown in the table below. XCM Note 3 For XCM, the OPERATION column shows the "Activity-type".

PAGE 302

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping XCM Audit Session Table Column Type PARTITIONKEY See General Note 1, pg 240.

PAGE 303

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G14: XYGATE Host Encryption (XHE) Data Mapping XHE Audit Detail Table Column Type PARTITIONKEY See General Note 1, pg 240. numeric 4 RECORDGMT See General Note 2. timestamp GMTSEQNO char 2 MOVER Generated RECORDLCT timestamp Date-time RECORDAUDITKEY timestamp MOVER Generated RECORDSESSIONKEY timestamp MOVER Generated SEQNO char 9 Sequence-number OUTCOME See General Note 3. char 1 See XHE Note 1.

PAGE 304

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping XHE Note 1 For XHE, a MESSAGECODE of D(eny) or F(ail), which translates as an OUTCOME of 3. Otherwise, the OUTCOME will be 1 (Success). XHE Note 2 For XHE, the OBEJCTTYPE will be "FILE", "USER", or "MISC". If the OBJECTTYPE is set to FILE, then the byte-transferred:transfer-time will also be included: Example: FILE:000000003456:000000233 XHE Audit Session Table Column Type PARTITIONKEY See General Note 1, pg 240.

PAGE 305

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G15: XYGATE Key Management (XKM) Data Mapping XKM Audit Detail Table Column Type Record Contents PARTITIONKEY See General Note 1, pg 240. numeric 4 RECORDGMT See General Note 2. timestamp GMTSEQNO char 2 MOVER Generated RECORDLCT timestamp Date-time RECORDAUDITKEY timestamp MOVER Generated RECORDSESSIONKEY timestamp MOVER Generated SEQNO char 9 Sequence-number OUTCOME See General Note 3. char 1 See XKM Note 1.

PAGE 306

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping XKM Audit Session Table Column Type PARTITIONKEY See General Note 1, pg 240.

PAGE 307

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G16: XYGATE Process Control (XPC) Data Mapping XPC Audit Detail Table Column Type XPC-I XPC-E XPC-S XPC-R† XPC-D PARTITIONKEY See General Note 1, pg 240. numeric 4 MOVER Generated RECORDGMT See General Note 2.

PAGE 308

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping XPC Note 1 For XPC, an MESSAGECODE of "deny", causes an OUTCOME of 3. Otherwise, the OUTCOME will be 1 (success). XPC Note 2 (applicable to XPC 3.55 and up) For MESSAGEID = “XPC-R” the value will be “XPC-REASON” for MESSAGEID = “XPC-I”, “XPC-S”, and “XPC-E” the value will be the contents of the field XPC-COMMAND. XPC Note 3 (applicable to XPC 3.55 and up) For MESSAGEID = “XPC-R” the value will be the contents of the field XPC-COMMAND.

PAGE 309

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G17: XYGATE Password Quality (XPQ) Data Mapping XPQ Audit Detail Table Column Type Record Contents PARTITIONKEY See General Note 1, pg 240. numeric 4 RECORDGMT See General Note 2. timestamp GMTSEQNO char 2 MOVER Generated RECORDLCT timestamp Date-time RECORDAUDITKEY timestamp MOVER Generated RECORDSESSIONKEY timestamp MOVER Generated SEQNO char 9 Sequence-number OUTCOME See General Note 3. char 1 See XPQ Note 1.

PAGE 310

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping XPQ Audit Session Table Column Type PARTITIONKEY See General Note 1, pg 240.

PAGE 311

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G18: XYGATE Object Security (XOS) Data Mapping XOS Audit Detail Table Column Type PARTITIONKEY See General Note 1, pg 240. numeric 4 RECORDGMT See General Note 2. timestamp GMTSEQNO char 2 MOVER Generated RECORDLCT timestamp Date-time RECORDAUDITKEY timestamp MOVER Generated RECORDSESSIONKEY timestamp MOVER Generated SEQNO char 9 Sequence-number OUTCOME See General Note 3. char 1 See XOS Note 1.

PAGE 312

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping XOS Note 1 For XOS, the possible MESSAGECODES are: • 01 (Grant) , which is translated to an OUTCOME of 1 (Success) • 02 (No Record), which translates to an OUTCOME of 2 (No Record) • 03 (Denied), which translates to an OUTCOME of 3 (Fail) XOS Note 2 For XOS the OBJECTNAME can come from one of two fields: • For Guardian objects the Object-Name • For OSS Objects Oss-Pathname If the Oss-Pathname is longer than 200 characters, the first 1

PAGE 313

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G19: XYGATE Safeguard Manager (XSM) Data Mapping XSM Audit Detail Table Column Type PARTITIONKEY See General Note 1, pg 240. numeric 4 RECORDGMT See General Note 2. timestamp GMTSEQNO char 2 MOVER Generated RECORDLCT timestamp Date-time RECORDAUDITKEY timestamp MOVER Generated RECORDSESSIONKEY timestamp MOVER Generated SEQNO char 9 Sequence-number OUTCOME See General Note 3.

PAGE 314

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping XSM Audit Session Table Column Type PARTITIONKEY See General Note 1, pg 240.

PAGE 315

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G20: XYGATE Combined Spoolcom Peruse Data Mapping (XSP) XSP Audit Detail Table Column Type PARTITIONKEY See General Note 1, pg 240. numeric 4 RECORDGMT See General Note 2. timestamp GMTSEQNO char 2 MOVER Generated RECORDLCT timestamp Date-time-data RECORDAUDITKEY timestamp MOVER Generated RECORDSESSIONKEY timestamp MOVER Generated SEQNO char 9 OUTCOME See General Note 3.

PAGE 316

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping XSP Audit Session Table Column Type PARTITIONKEY See General Note 1, pg 240.

PAGE 317

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G21: XYGATE Transaction Router (XTR) Data Mapping XTR Audit Detail Table Column Type PARTITIONKEY See General Note 1, pg 240. numeric 4 RECORDGMT See General Note 2. timestamp GMTSEQNO char 2 MOVER Generated RECORDLCT timestamp Date-time RECORDAUDITKEY timestamp MOVER Generated RECORDSESSIONKEY timestamp MOVER Generated SEQNO char 9 Sequence-number OUTCOME See General Note 3. char 1 See XTR Note 1.

PAGE 318

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping XTR Note 1 XTR has four possible OUTCOME codes: G(rant) XTR granted the access based on rules defined in the TRACL file. D(eny) XTR denied the access based on rules defined in the TRACL file. S(uccess) A successful XTR operation carried out on behalf of one of the GUIs such as running a macro or creating a file. F(ail) A successful XTR operation carried out on behalf of one of the GUIs such as running a macro or creating a file.

PAGE 319

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G22: XYGATE User Authentication (XUA) Data Mapping XUA Audit Detail Table Column Type PARTITIONKEY See General Note 1, pg 240. numeric 4 RECORDGMT See General Note 2. timestamp GMTSEQNO char 2 MOVER Generated RECORDLCT char 26 Date-time-data RECORDAUDITKEY Record Contents MOVER Generated RECORDSESSIONKEY timestamp MOVER Generated SEQNO char 9 Sequence-number Outcome See General Note 3.

PAGE 320

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping XUA Audit Session Table Column Type PARTITIONKEY See General Note 1, pg 240.

PAGE 321

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G23: XYGATE Compliance PRO (XSW) Data Mapping XSW Audit Detail Table Column Type PARTITIONKEY See General Note 1, pg 240. numeric 4 RECORDGMT See General Note 2. timestamp GMTSEQNO char 2 MOVER Generated RECORDLCT timestamp Date-time-data RECORDAUDITKEY timestamp MOVER Generated RECORDSESSIONKEY timestamp MOVER Generated SEQNO char 9 Sequence-number OUTCOME See General Note 3.

PAGE 322

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping XSW Audit Session Table Column Type PARTITIONKEY See General Note 1, pg 240.

PAGE 323

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping XPC-P07 XCM-P08 XSP-P09 XPQ-P15 XOS-P19 XUA-P25 XSM-P26 XKM-P32 XHE-P39 XTR-P46 XSW-P44 BASE24 EMS MEASURE SFG Column Usage Table XAC-P06 G24: X X X X X X X X X X X X X X X X SEQNO X X X O X X X O X X X X OUTCOME X X X X X X X X X X X X X COLUMN PARTITIONKEY RECORDGMT GMTSEQNO RECORDLCT RECORDAUDITKEY RECORDSESSIONKEY WARNINGMODE X TESTMODE X X X X X X X SEVERITY ALERTED PROD

PAGE 324

X X X X DNSNAME X SFG MEASURE EMS BASE24 XSW-P44 XTR-P46 XHE-P39 XKM-P32 X XSM-P26 X XUA-P25 X XOS-P19 X X ANCESTORPROCESSTHREADID XPQ-P15 XCM-P08 X CLIENTPROGRAM XSP-P09 XPC-P07 COLUMN XAC-P06 XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping X X X CLIENTCURRDIR X Key System or Mover generated Not Applicable XYPRO Technology Corporation O 300 Proprietary and Confidential

PAGE 325

XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping XYPRO Technology Corporation 301 Proprietary and Confidential

PAGE 326

PAGE 327

Glossary This glossary provides explanations of the XMA components, including files and macro, as well as the keywords used in the MACONF and the FILTERS file. ACTIONTYPE Filter Keyword The ACTIONTYPE keyword determines the type of ALERT that will be generated when an event matching the selection criteria of the Filter is detected.

PAGE 328

XYGATE Merged Audit® Reference Manual Glossary ALERTTARGET Filter Keyword Filters with an ALERT ACTIONTYPE require the ALERTTARGET keyword to define where the EMS message should be sent. Most often it will be your EMS collector. If you choose to do so, you could send all the ALERTS for all the nodes on your network to a single, dedicated EMS collector located on the Parent node. In this case, enter the master node’s name. The default is \.$0, where system is the node where the MOVER is running.

PAGE 329

XYGATE Merged Audit® Reference Manual Glossary ALERTTOKENS Filter Keyword This is a list of columns you wish to display from the AUDIT DETAIL TBL, and AUDIT SESSION TBL. The default is all of the data from the AUDIT DETAIL TBL and AUDIT SESSION TBL. Syntax: ALERTTOKENS ...< column > ALERTTOKENSEND APPMOVE Program APPMOVE is the program that reads the iTP Secure WebServer audits.

PAGE 330

XYGATE Merged Audit® Reference Manual Glossary Data Selection Criteria Data Selection Criteria is used to select audit events based on the contents of the normalized data record. Every field that is utilized for a given target product is available for generating an ALERT or ACTION in a Filter. For example, if you wish to act on failed attempts to access files: • Use the AUDIT.OUTCOME column to select audit records where this field indicates a denial. • Use the AUDIT.

PAGE 331

XYGATE Merged Audit® Reference Manual Glossary EMS Templates and Macros The EMS Message Format Templates allow the output from ALERTS and program messages written to EMS to be tokenized and organized as desired by the customer. The following three files are supplied at installation to allow this customization: EMSBUILD A macro to build the template file based on the system templates and the EMSTEMP file. EMSDDL The DDL layout for the EMS messages.

PAGE 332

XYGATE Merged Audit® Reference Manual Glossary FILTERS File A file containing a set of rules used by the various MOVER Serverclasses while collecting audit and process ancestry data. These rules fall into two categories: (1) the first is audit data that should not be inserted into the consolidated SQL Database, and (2) the second category is ALERTS. These are issued when events you specify are detected.

PAGE 333

XYGATE Merged Audit® Reference Manual Glossary IPALERT Filter Keyword The IPALERT ACTIONTYPE sends an ALERT message to a TCP/IP address or 'SYSLOG' console when an event matching the selection criteria of the Filter is detected. See also, ALERTSTRING, IPALERT_ADDRESS, IPALERT_PORT, IPALERT_PREFIX and IPALERT_PROCESS. IPALERT_ADDRESS Filter Keyword Filters with an IPALERT ACTIONTYPE require the IPALERT_ADDRESS keyword to define the TCP/IP address where XMA will send the string meant for a SYSLOG.

PAGE 334

XYGATE Merged Audit® Reference Manual Glossary MACONFB MACONFB is the compiled version of the FILTERS file. It is created using the FILTCOMP program. MAIL Filter Keyword The MAIL ACTIONTYPE sends an email message when an event matching the selection criteria of the Filter is detected. See also, MAIL_SRV, MAIL_PORT, MAIL_LOCAL_DOMAIN, MAIL_FROM, MAIL_TO, MAIL_SUBJECT and MAIL_BODY.

PAGE 335

XYGATE Merged Audit® Reference Manual Glossary MAIL_LOCAL_DOMAIN Filters with a MAIL ACTIONTYPE require the MAIL_LOCAL_DOMAIN keyword to define the mail domain. This keyword is optional for MAIL alerts. Some mail servers, such as LOTUS, require a local domain name. Microsoft Outlook does not require a domain name. Consult your mail administrator for additional information. MAIL_SRV Filter Keyword Filters with a MAIL ACTIONTYPE require the MAIL_SRV keyword to define the name of target mail server.

PAGE 336

XYGATE Merged Audit® Reference Manual Glossary MAXACTIONRATE Filter Keyword This keyword acts like an EMS throttle. It allows you to specify how often you want to receive notification if the same situation occurs. All the activity will still be written to the XMA database. This field only controls the number of alerts generated. Omitting this parameter would cause ALERTS and/or ACTIONS to occur for any eligible record no matter how often the activity is occurring.

PAGE 337

XYGATE Merged Audit® Reference Manual Glossary MAXCOMPLETIONTIME Filter Keyword The MAXCOMPLETIONTIME keyword sets the time-out parameter for a RUNCMD ACTIONTYPE. If the processing specified within a RUNCMD block cannot be completed within the specified time period, an error message will be generated and processing will continue. The default value for this parameter is 300 seconds (5 minutes).

PAGE 338

XYGATE Merged Audit® Reference Manual Glossary MOVERs MOVERs are Serverclasses. They are processes that read the various product audit files and generate alerts and/or update the XMA database. There are three types of MOVERs: 1. Alert-Only, which only generate alerts. They do not update the XMA database. 2. Collect-Only, which only update the XMA database. They do not generate alerts. 3. Regular (combined Alert and Collect), which both generate alerts and update the XMA database.

PAGE 339

XYGATE Merged Audit® Reference Manual Glossary PARSAMP Macro This file contains sample SQLCI commands that can be used to partition your AUDIT SESSION and AUDIT DETAIL tables. Refer to Appendix E: “XMA Host Macros” starting on page 203 for more information. PRODUCT MOVER Criteria Keyword This keyword is used to specify the desired MOVER’s target product.

PAGE 340

XYGATE Merged Audit® Reference Manual Glossary RUNCMD Filter Keyword This ACTIONTYPE allows you to run custom processes. This would include any process which can be executed from TACL (non-block-mode). You should always set the MAXCOMPLETIONTIME for RUNCMD ACTIONTYPEs; otherwise, the MOVER may not move on to process subsequent audit records. All of the processing to take place must appear between the keywords RUNCMDDEFBEGIN and RUNCMDDEFEND.

PAGE 341

XYGATE Merged Audit® Reference Manual Glossary SNMP TRAP Filter Keyword Filters with an SNMP TRAP ACTIONTYPE send a message to the defined SNMP TRAP when an event matching the selection criteria of the Filter is detected. See also SNMP_TRAPDEST, SNMP_IPPROCESS, SNMP_TRAPNUMBER, SNMP_COMMUNITY, and SNMP_MESSAGE. SNMP_TRAPDEST Filters with an SNMP TRAP ACTIONTYPE require the SNMP_TRAPDEST keyword to define the IP address and PORT of the target SNMP process. The port number is optional.

PAGE 342

XYGATE Merged Audit® Reference Manual Glossary SRCONF The SRCONF file is used by the XYGATESR object. The SRCONF file contains the following keywords: USE_SUBJECTCREATOR !Monitor !MonITOR_REPLY !DEBUG !CALL [OFF|ON] $S.#XSR.MONITOR The argument to the USE_SUBJECTCREATOR keyword is a value of ON or OFF. The default value for this keyword is OFF.

PAGE 343

XYGATE Merged Audit® Reference Manual Glossary XMA (SQL) Database A complete discussion of the SQL Database can be found in Appendix B: and Appendix C: for Database Tables and in Appendix G: for Data Mapping. On a high level, the XMA database consists of the following: • Administrative Tables (Appendix B:) This set of tables contains configuration and process management information for the Serverclasses within the XMA Pathway.

PAGE 344

XYGATE Merged Audit® Reference Manual Glossary XMA_COMPILE_FILTERS Macro XMA_COMPILE_FILTERS uses the FILTCOMP program to create a pre-compiled version of the FILTERS file called MACONFB that is loaded by the movers at startup time. The MACONFB file will be updated on all nodes. XMA_DBVOLUME Macro Once the XMA segment is attached, typing XMA_DBVOLUME will take you to the subvolume containing the XMA database tables. The default subvolume name is XMADAT.

PAGE 345

XYGATE Merged Audit® Reference Manual Glossary XMA_LOAD_DEFINES Macro Once the XMA segment is attached, typing XMA_LOAD_DEFINES will load the DEFINES for your SQL Database. Refer to Appendix E: “XMA Host Macros” starting on page 203 for more information. XMA_MANAGER Macro The XMA_MANAGER macro is the primary tool for configuring and maintaining the XMA Pathway. You will use it to create and manage MOVER Serverclasses, and do database management.

PAGE 346

XYGATE Merged Audit® Reference Manual Glossary XMA_REPORT Macro Once the XMA segment is attached, typing XMA_REPORT will display a menu of selection criteria to help you generate SQL queries against the XMA database. The reports will be sent to the spooler. Note: The XMA_REPORT Macro produces reports using the SQLCI Query and Report Writer functions. If you are not licensed for SQLCI in your installation, these macros are not available to you.

PAGE 347

XYGATE Merged Audit® Reference Manual Glossary XYGATEMA Object file for the process that does the syntax checking on the MACONF file. XYGATESR XYGATESR is the object file for the program that normalizes the Safeguard audit records in preparation for adding it to the XMA database. It has an associated program called SRLIB which must be licensed. The XYGATESR and SRLIB programs work in conjunction with the SFGMOVE program.

PAGE 348

XYGATE Merged Audit® Reference Manual Glossary XYPRO Technology Corporation 324 Proprietary and Confidential

PAGE 349

Index XPC........................................................283 XPQ .......................................................285 XSM .......................................................289 XSP ........................................................291 XTR ........................................................293 XUA........................................................295 A Administrative Tables ................................ 167 ALERTSTRING ............

PAGE 350

XYGATE Merged Audit® Reference Manual Index AutoInstall, Running ................................... 6 Generate Reports .................................... 25 GUI/PC Products ..................................... 23 MOVER Selection Keywords ................... 46 Running Automated Uninstall................... 21 Using AutoInstall ........................................ 1 Serverclass Naming Conventions ...........111 Starting ...................................................220 Time Ranges ............

PAGE 351

XYGATE Merged Audit® Reference Manual Index TCP/IP ..................................................... 60 UDP ......................................................... 58 SYSLOG Messages .................................... 81 SYSLOGQ .................................................. 76 Filters Configuration ................................. 79 T TCLEXC.........................................52, 65, 227 TMF-Related Parameters.......................... 133 Troubleshooting ..............................

PAGE 352

XYPRO Technology Corporation 328 Proprietary and Confidential