,deallocate Example 1: Sample obey file to reload the data tables reload /out $s.#xma.rld/ $SECURE.xmadat.auddet,deallocate reload /out $s.XYGATE Merged Audit® Reference Manual Chapter 8. Maintaining the XMA Database 8.3 Resizing the Data Tables The two tables in question are the Audit Session (AUDSESS) and Audit Detail (AUDDET) tables. Both of these tables also have indexes. These are the two tables that contain the consolidated audit information. 8.3.1 Default Table Sizes The default sizing for these tables as of v1.60 is as follows: AUDDET EXTENT (1024,1024) MAXEXTENTS 900 AUDSESS EXTENT (512,512) MAXEXTENTS 900 8.3.
XYGATE Merged Audit® Reference Manual Chapter 8. Maintaining the XMA Database In chapter AUDSESS: EXTENT (1024,1024) MAXEXTENTS 900 In chapter AUDDET: EXTENT (2048,2048) MAXEXTENTS 900 Note: If the version of your SQL catalog is 3.50 or greater on all nodes, then these files can be type 2 files. 1. Copy the data from the existing tables to the new tables using the SQLCI LOAD command. Note: TMF auditing must be temporarily turned off for the new tables using the SQLCI ALTER TABLE command. 8.4 2.
XYGATE Merged Audit® Reference Manual Chapter 8. Maintaining the XMA Database ALTER TABLE =XMA_AUDSESSIONTBL ADD PARTITION .XMADAT.AUDSESS FIRST KEY 2 WITH DATA MOVEMENT CATALOG $.XMACAT -- EXTENT (look at PARTITION Clause under SQL/MP Reference manual) -- MAXEXTENTS ; ALTER TABLE =XMA_AUDSESSIONTBL ADD PARTITION .XMADAT.AUDSESS FIRST KEY 101 WITH DATA MOVEMENT CATALOG $.
XYGATE Merged Audit® Reference Manual Chapter 8.
Chapter 9. Troubleshooting This chapter describes the XMAHELP functions and guides you through the steps to troubleshoot the following: 9.1 • NonStop (XMA) side of the communication with an audit logging appliance system. • Audit Log Warehouse Data Parsing. XMAHELP/XMA_HELP Displays information regarding the available XMA Macros. SYNTAX XMAHELP 9.1.1 XYMOVE Functions The program XYMOVE extracts information from the XYGATE product audit trails.
XYGATE Merged Audit® Reference Manual Chapter 9. Troubleshooting 9.1.3 XYGATEVER XYMOVE Option Running XYMOVE with the XYGATEVER option provides a list of all supported XYGATE products and their associated minimum version required for XMA. It only lists a version again if the audit file layout has changed Syntax: RUN $..XYMOVE XYGATEVER Where: <$vol>. is the location of your XMA installation. Sample output from XYGATEVER 23> run $system.xygatema.xymove xygatever 23.. XMA 1.
XYGATE Merged Audit® Reference Manual Chapter 9. Troubleshooting FILES DUPLICATED: 1 TEXT EDITOR - T9601H01 - (01MAY05) CURRENT FILE IS $DATA04.XYGATEMA.
XYGATE Merged Audit® Reference Manual Chapter 9. Troubleshooting 9.2.3 Send a Test SYSLOG Message to the Log Warehouse Use the XMA_MANAGER to send a test message to the log warehouse system. (Refer to chapter Chapter 5, “Using XMA_MANAGER.”) 1. Logon as the XMA owner in order to run XMA_MANAGER. 2. Load the XMA TACL segment, start the XMA_MANAGER and select option 2: Movers. 3. To use the IPALERT message, select option 16: Test basic Alerts in the Movers Management Menu. (Refer to section 5.
XYGATE Merged Audit® Reference Manual Chapter 9. Troubleshooting 9.2.4 1. PING the Log Warehouse System At TACL enter info define * to look for the define for the current TCPIP process. If the TCPIP process is not the same as the one configured in the IPALERT Filters, then set the define for your current session to the IPALERT’s TCPIP process. 2. Once you have done that, ping the log warehouse box to test the connection.
XYGATE Merged Audit® Reference Manual Chapter 9.
Appendix A: The MACONF File MACONF is an EDIT file that resides in the same volume and subvolume as the XYGATEMA object file. This file contains many of the configuration options that determine how XMA will run. The values are initially created by the install process. You may alter any of these values without re-installation except the MACRO_NAME. If you want to change this, you must re-install XMA.
XYGATE Merged Audit® Reference Manual Appendix A: The MACONF File A3: COLLECTOR This keyword sets the name of the default spooler collector to use for report generation using the XMA_REPORT macro. The default value is $S. Syntax: COLLECTOR Example: COLLECTOR $S2 If this keyword is omitted from the MACONF file, the $S collector will be used as the default. A4: COMPANY_NAME This keyword sets the name of the installation.
XYGATE Merged Audit® Reference Manual Appendix A: The MACONF File A6: MACRO_NAME The argument to the MACRO_NAME keyword is the name of the macro as specified at installation. This value is used for subsequent updates of the XMA product. This entry is required and will be created during installation. Syntax: MACRO_NAME Example: MACRO_NAME XMA Note: Because this macro name is built into the compiled TACLSEG for XMA, it will remain in effect until you re-install the software.
XYGATE Merged Audit® Reference Manual Appendix A: The MACONF File A8: PERUSE_OBJECT This object filename will be used when the XMA_REPORT macro is instructed to start PERUSE. The object file defaults to the XYPRO XYGATESP product if present; otherwise, it will default to $SYSTEM.SYSTEM.PERUSE. Syntax: PERUSE_OBJECT <$processname> Example: PERUSE_OBJECT $SYSTEM.XYGATESP.PERUSE A9: PRIORITY This keyword is obsolete starting with XMA version 1.95. It is syntactically valid but ignored by the program.
Appendix B: Administrative Tables The various processes within XMA use the Administrative tables and Data tables (described next in Appendix C:) to keep track of the MOVERs and what XYGATE product logs have been processed. The Administrative tables provide the means to configure MOVER Serverclasses and manage the data collection process. The most up-to-date information regarding the SQL tables can be found in the file NEWTBLS in your XMA installation subvolume.
XYGATE Merged Audit® Reference Manual Appendix B: Administrative Tables B1: XYGATE MOVER Configuration Tables XYGATE MOVER Table =XMA_XYMVTBL The information in this table describes the Serverclass-to-XYGATE product relationship and the audit filename and location for that product.
XYGATE Merged Audit® Reference Manual Appendix B: Administrative Tables B2: XYGATE MOVER State Tables The XYGATE MOVERs utilize the two tables below to track the current audit file and the date of the last record within the file that has been processed. This prevents the creation of duplicates. It also allows the MOVERs to “catch-up” if they have to be stopped and restarted.
XYGATE Merged Audit® Reference Manual Appendix B: Administrative Tables XYGATE MOVER State Auxiliary Table =XMA_XYMVSTATEAUXTBL CREATE TABLE =XMA_XYMVSTATEAUXTBL (RECORDSTATEKEY TIMESTAMP DEFAULT CURRENT NOT NULL , XYGATENODE CHAR (8) NO DEFAULT NOT NULL , XYGATEVOLUME CHAR (8) NO DEFAULT NOT NULL , XYGATESUBVOLUME CHAR (8) NO DEFAULT NOT NULL , XYGATEPRODUCT CHAR (3) NO DEFAULT NOT NULL , ServerclassNAME CHAR (15) NO DEFAULT NOT NULL -- Refers to =XMA_XYMVSTATETBL , FILEBEGIN_LCT CHAR (26) NO DEFAULT NOT
XYGATE Merged Audit® Reference Manual Appendix B: Administrative Tables B4: EMS MOVER Parameters Table =XMA_EMSMVPARAMSTBL As of release 1.90 of XYGATE Merged Audit this table will not be used. The data will be stored in the PARAMS table. When upgrading from a prior release, the data in the individual product tables will be converted and placed in the PARAMS table.
XYGATE Merged Audit® Reference Manual Appendix B: Administrative Tables B6: MEASURE MOVER Tables There are three MEASURE MOVER Tables as described below. MEASURE MOVER Table =XMA_MEASMVTBL This table contains an entry for each MEASURE MOVER Serverclass.
XYGATE Merged Audit® Reference Manual Appendix B: Administrative Tables MEASURE MOVER Processed Table =XMA_MEASMVPROCTBL The MEASURE MOVERs use this table to record information regarding previously collected MEASURE data. This prevents the creation of duplicates.
XYGATE Merged Audit® Reference Manual Appendix B: Administrative Tables B9: SAFEGUARD MOVER State Tables The Safeguard MOVERs utilize the two tables below to track the current audit file and the date of the last record within the file that has been processed. This prevents the creation of duplicates. It also allows the MOVERs to “catch-up” if they have to be stopped and restarted.
XYGATE Merged Audit® Reference Manual Appendix B: Administrative Tables SAFEGUARD State Auxiliary Table =XMA_SFGMVSTATEAUXTBL CREATE TABLE =XMA_SFGMVSTATEAUXTBL ( RECORDSTATEKEY TIMESTAMP DEFAULT CURRENT NOT NULL ,SFGNODE CHAR (8) NO DEFAULT ,ServerclassNAME CHAR (15) NO DEFAULT =XMA_SFGMVSTATETBL ,FILEBEGIN_GMT CHAR (26) NO DEFAULT record in the file ,FILEBEGIN_LCT CHAR (26) NO DEFAULT record in the file ,RECORDBEGINGMTTSTMP LARGEINT SIGNED NO DEFAULT record in this range in timestamp format ,RECORDENDGMT
XYGATE Merged Audit® Reference Manual Appendix B: Administrative Tables B11: BASE24 Parameter Table As of release 1.90 of XYGATE Merged Audit this table will not be used. The data will be stored in the PARAMS table. When upgrading from a prior release, the data in the individual product tables will be converted and placed in the PARAMS table.
XYGATE Merged Audit® Reference Manual Appendix B: Administrative Tables -- number of records processed from this file ,SESSIONTBLINSCOUNT LARGEINT SIGNED NO DEFAULT NOT NULL -- number of session table inserts done while processing records from ,AUDITTBLINSCOUNT LARGEINT SIGNED NO DEFAULT NOT NULL -- number of audit table inserts done while processing records from the ,AUDITFILENAME VARCHAR(40) NO DEFAULT NOT NULL -- Name of the audit trail enscribe file ,CURRENTFILESTATUS VARCHAR(256) NO DEFAULT NOT NULL -
XYGATE Merged Audit® Reference Manual Appendix B: Administrative Tables B13: TCP/IP Syslog Tables This table is read by the SLSENDER program.
XYGATE Merged Audit® Reference Manual Appendix B: Administrative Tables B16: HLR State Tables The HLR MOVERs utilize the two tables below to track the current audit file and the date of the last record within the file that has been processed. This prevents the creation of duplicates. It also allows the MOVERs to “catch-up” if they have to be stopped and restarted.
XYGATE Merged Audit® Reference Manual Appendix B: Administrative Tables ,FILEBEGIN_LCT CHAR(26) NO DEFAULT -- yyyy-mm-dd hh:nn:ss.
XYGATE Merged Audit® Reference Manual Appendix B: Administrative Tables B17: iTP Secure WebServer MOVER Table This table contains an entry for each iTP MOVER Serverclass.
XYGATE Merged Audit® Reference Manual Appendix B: Administrative Tables B18: iTP Secure WebServer State Table The iTP MOVERs utilizes the table below to track the current audit file and the date of the last record within the file that has been processed. This prevents the creation of duplicates. It also allows the MOVERs to “catch-up” if they have to be stopped and restarted.
XYGATE Merged Audit® Reference Manual Appendix B: Administrative Tables B19: ARCHIVE Tables There are two tables that are used to support the Archive process. The ARCHIVES Table tracks the status of all existing Archive sets. The ARCHIVE LOG Table contains audit data related to archive processing such as record counts. When an Archive set is deleted, the record for that ARCHIVEID will be deleted from the ARCHIVES Table. The deletion of the Archive set will be logged to the ARCHIVE LOG Table.
XYGATE Merged Audit® Reference Manual Appendix B: Administrative Tables B20: PARAMS Table As of release 1.90 of XMA, all the Serverclasses share the PARAMS Table.
Appendix C: Data Tables The data tables contain the audit data extracted from the XYGATE products, SAFEGUARD, and MEASURE. These tables also contain audit information from XMA processing. C1: File Partitioning Starting with XMA version 1.23, the AUDIT SESSION table and AUDIT DETAIL table now have a key that better lends itself to partitioning. The PARTITION key is the first column in the AUDIT SESSION table and AUDIT DETAIL table.
XYGATE Merged Audit® Reference Manual Appendix C: Data Tables C3: Audit Installation Table =XMA_AUDINSTALLTBL This table is a cross-reference of PRODUCTCODE to PRODUCT INSTALLATION information. It is used to help identify the source installation for the data in the Audit Session Table.
XYGATE Merged Audit® Reference Manual Appendix C: Data Tables C4: Audit Session Table =XMA_AUDSESSIONTBL The AUDIT SESSION TABLE ties together groups of records from a specific product and session. You will have one record in this table for each group of one or more records in the Audit Detail Table.
XYGATE Merged Audit® Reference Manual Appendix C: Data Tables C5: Audit Detail Table =XMA_AUDITDETAILTBL These are the detail records with a particular session. There will be one or more related records tied together by an entry in the AUDIT SESSION TABLE.
XYGATE Merged Audit® Reference Manual Appendix C: Data Tables -- Error codes, event codes, product specific codes -- Used to determine value in outcome , RULENAME VARCHAR (50) DEFAULT NULL -- Name of the rule used , RESULT VARCHAR (256) DEFAULT NULL -- Details about what happened ,USER_DATA VARCHAR(16) DEFAULT NULL -- reserved for future use , PRIMARY KEY (PARTITIONKEY,RECORDGMT,GMTSEQNO) XYPRO Technology Corporation 189 Proprietary and Confidential
XYGATE Merged Audit® Reference Manual Appendix C: Data Tables XYPRO Technology Corporation 190 Proprietary and Confidential
Appendix D: Sample Filters This Appendix provides some typical Filters. D1: Filter out $CMON’s “I’m Alive” Messages Because $CMON runs in the background, it periodically writes a message to its audit. Users frequently filter this message out of the XMA database. What makes these audit events unique is the OPERATION, so that is the only DATA selection criteria required. Example 1: FILTERDEFBEGIN $IGNORE.XCM.
XYGATE Merged Audit® Reference Manual Appendix D: Sample Filters D2: Filter out XPC STATUS Commands Example 2 filters out XPC status commands because generally anyone can status any process and it is not a security risk and generates a lot of audit. What makes these audit events unique is the audit record type, which is recorded in the MESSAGEID column. Refer to the XYGATE Process Control (XPC) Reference Manual for more information.
XYGATE Merged Audit® Reference Manual Appendix D: Sample Filters D3: Filter out Safeguard reading its own user database Example 3 filters out the audits of Safeguard itself reading the "USER and LUSER" files. Safeguard reads these file while ruling on every file access and every logon, which generates a lot of audit that is not useful. What makes these events unique is the combination of the MOVER, the OPERATION, and the subject userid.
XYGATE Merged Audit® Reference Manual Appendix D: Sample Filters D4: Filter out Safeguard No Record Example 4 filters out the Safeguard access events with a result of No Record, which are indicated by the OUTCOME = 2. That is all the DATA selection criteria required. What makes these events unique is the combination of the MOVER and the OUTCOME.
XYGATE Merged Audit® Reference Manual Appendix D: Sample Filters D5: Filter out XOS No Record Example 5 filters out the XOS access events with a result of No Record, which are indicated by the OUTCOME = 2. That is all the DATA selection criteria required. If you are using both Safeguard and XOS to protect files on your system, you could combine these two Filters by adding a second MOVER paragraph: one for Safeguard and one for XOS.
XYGATE Merged Audit® Reference Manual Appendix D: Sample Filters D6: Filter out XOS What-if tests Example 6 $ out the XOS audit records generated by “What-if” testing. What makes these events unique is the TESTMODE column, which contains a Y(es) for What-if queries and a N(o) for actual rulings. That is all the DATA selection criteria required.
XYGATE Merged Audit® Reference Manual Appendix D: Sample Filters D7: Alert for SUPER.SUPER’s password change via XPQ Example 7 generates an email alert whenever SUPER.SUPER’s password is changed using XPQ. What makes these events unique is the combination of the MOVER and the target user name. You could also use the AUDIT.OBJECTNAME column, in which case you would use: AUDIT.OBJECTNAME CONTAINS "SUPER.SUPER". Remember, the OBJECTNAME column contains both the userid and the user name.
XYGATE Merged Audit® Reference Manual Appendix D: Sample Filters D8: Alert when someone logs directly on as SUPER.SUPER Example 8 generates an EMS message whenever anyone logs on directly as SUPER.SUPER. What makes these events unique is the target userid and the operation. As is, this Filter will capture all logons to SUPER.SUPER. If you only wanted to be alerted if someone logged on to SUPER.SUPER from a "not logged on TACL", you could comment out the SUBJECT_USERNUMBER lines.
XYGATE Merged Audit® Reference Manual Appendix D: Sample Filters D9: Alert for XAC command containing "–255" Example 9 generates an EMS message whenever someone invokes an XAC COMMAND that contains the characters "-255". The EMS message will display the user’s logon name and the XAC command they invoked.
XYGATE Merged Audit® Reference Manual Appendix D: Sample Filters D10: Selecting security-related BASE24 EMS events The security-related BASE24 EMS messages have "ACI.XPSNCP" as the first part of the SSID. These are the EMS messages generated by NCPCOM. The SSID is placed in the AUDIT.OBJECTNAME column. Use this to select security-related BASE24 events in Filters and reports. To capture the initialization of BASE24 audit logs, you should also look for EMS events with an SSID of "ACI.LOGDATER".
XYGATE Merged Audit® Reference Manual Appendix D: Sample Filters D11: Selecting CLIM events CLIM Audits are forwarded to an EMS Collector on the NonStop named $ZCLA. The SSID for these records is TANDEM.CIP.H03. FILTERDEFBEGIN $CLIM-EVENTS != CLIM Events are sent to a collector != name $ZCLA on the NonStop STATUS ACTIVE ! $CLIM-EVENTS MOVER_BEGIN MOVER_SELECT_BEGIN PRODUCT = EMS MOVER_SELECT_END MOVER_END DATA_BEGIN DATA_SELECT_BEGIN FILTERTYPE STRINGFILTER Audit.objecttype LIKE ".*TANDEM.CIP.*" audit.
XYGATE Merged Audit® Reference Manual Appendix D: Sample Filters XYPRO Technology Corporation 202 Proprietary and Confidential
Appendix E: XMA Host Macros A set of macros is supplied with the XMA host software. The XMA macro is used to attach the XMA_SEG TACL segment that contains all the XMA macros. Syntax: RUN <\NODE>.<$vol>..XMA INSTALL Example: RUN \NODE1.$SYSTEM.XYGATEMA.XMA INSTALL XMA INSTALL attaches the XMA_SEG TACL segment to the user’s TACL. If the user already has the XMA_SEG TACL segment installed, it has no other effect.
XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros E2: ARCMAC The macro ARCMAC has been provided so that the Archive process can be run automatically at an interval you determine. A sample macro file named ARCMAC has been placed in your XMA subvolume to help you use this macro. PROCESS TYPE has 3 options: -, *, and ##### - (dash) Creates a new set of Archive Tables. * (asterisk) Indicates that all stopped (incomplete) archive processes should be restarted.
XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros E3: CLEANDB The CLEANDB macro runs the database cleanup program at a regularly scheduled interval. Unlike the ARCHIVE process, CLEANDB deletes records from the AUDIT SESSION and AUDIT DETAIL tables but it does not create ARCHIVE Tables. A sample macro file named CLEANMAC has been placed in your XMA subvolume to help you use the CLEANDB macro.
XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros In this Example the start date is set to a date well in the past to pick up any “stray” records that might remain in the XMA database from long-running sessions. For the end date a value of 60 is specified, which from October 5, 2004 is calculated to be August 6, 2004. This removes all data older than 60 days from the database.
XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros CATALOG .XMACAT -- EXTENT -- MAXEXTENTS ?Section auddetail ALTER TABLE =XMA_AUDITDETAILTBL ADD PARTITION .XMADAT.AUDDET FIRST KEY 1 WITH DATA MOVEMENT CATALOG .XMACAT -- EXTENT -- MAXEXTENTS ; ALTER TABLE =XMA_AUDITDETAILTBL ADD PARTITION .XMADAT.AUDDET FIRST KEY 2 WITH DATA MOVEMENT CATALOG .
XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros E7: UPDSTAT This macro performs the update statistics function for your XMA SQL tables. Use this macro to run a regularly scheduled update via Netbatch. You do not have to make any changes to this file. Sample UPDSTAT File == routine to update statistics from a batch file ?tacl routine #frame [#if [#variableinfo /existence/ :XMA_seg] |then| == do not attach, already present |else|[#if [#fileinfo /existence/ $SECURE.XYGATEMA.
XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros E8: XMA_AUDIT_REPORT XMA_AUDIT_REPORT is invoked by the XMA_REPORT macro described in Chapter 4. It generates an SQLCI report using the criteria selected with the Report Selection Pane. The XYGATE Configuration and Audit Reporting manual provides more information for these selection criteria. Refer to the chapter “XYGATE Audit Report Manager (XRM)” and look in the section “Design a Report.
XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros object-type All or part of a valid Safeguard object type or * for all. object-name All or part of a valid object name or * for all. outcome ALL, SUCCESS, FAILURE, NORECORD. audit-file-name Location of your XMA tables ($volume.subvol). output-filename Spooler location and report name; for example: $S.#XYGATE.XMAREP sort-type USER, LOGIN NAME, OBJECT, TIME. operation A valid operation or * for all.
XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros • The report is sorted by TIME • All (*) operations • Debug is set to off (0) • all (*) rulenames • all (*) product codes will be included • All alert types (ALL) • All (*) results will be included • All (*) message codes will be included • All (*) message ids will be included If desired, you can use the TACL ampersand ( & ) to separate command lines for legibility.
XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros E9: XMA_COMPILE_FILTERS The XMA_COMPILE_FILTERS macro runs the FILTCOMP program which reads in the FILTERS file and outputs MACONFB, the compiled FILTERS file. SYNTAX XMA_COMPILE_FILTERS EXAMPLE 105>XMA_compile_filters Compiling \PROD.$SEC.XYGATEMA.FILTERS file in \PROD ... XYGATE Merged Audit 2.10 (c) 1999-2012 XYPRO XYPRO Technology \PROD Segment base address: 236650496 Segment size: 102400000 FILTERS CHECKSUM 1279280475 (\PROD.$SEC.
XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros E10: XMA_DATETIME_MAKE The XMA_DATETIME_MAKE macro will calculate a date in the past equal to the entered. This macro can be used to calculate dates and create date ranges to include in a customized XMA report. For example, if you enter 7, the macro will calculate the date seven days prior to the current date. An entry of 30 or 31 would be one month into the past. You can enter up to 3000 days in the past.
XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros The Letter T denotes TODAY. The following example will generate a report for the current day. Example: ?tacl macro #frame [#push t_t1 ] xma_datetime_make t #set t_t1 [xma_dt_year4]-[xma_dt_month]-[xma_dt_day] 00:00 xma_datetime_make t #set t_t1 [t_t1] [xma_dt_year4]-[xma_dt_month]-[xma_dt_day] 23:59 [xma_audit_report [t_t1] == date range *.* == user == login name == terminal == system == objecttype == object name ALL == outcome $DATA.
XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros E12: XMA_EDIT_FILTERS The XMA_EDIT_FILTERS macro allows the user to edit a duplicate copy of the FILTERS file and then load it into production. Syntax XMA_EDIT_FILTERS Example XMA_EDIT_FILTERS $SECURE XYGATEMA 16> xma_edit_FILTERs This file edits the current XYGATE-ACCESS-CONTROL access control list. It will create a file named $SYSTEM.XYGATEMA.NEWFILT from the current $SYSTEM.XYGATEMA.FILTERS file. These are your old $SYSTEM.XYGATEMA.
XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros Note: A MOVER Serverclass reads in the FILTERS file at start-up time. If a syntax error is encountered when the MOVER Serverclass object is in the process of starting, an error message is displayed and the MOVER Serverclass will ABEND. After updating your FILTERS file, there is no need to stop and restart the server processes.
XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros In Example 3 below the filename oldflt0 was specified. In this case an error was found on line 16. OVER_BEGIN should have been MOVER_BEGIN. Once this is corrected, line 16 and the associated lines 17 through 20 will no longer be displayed as an error. This is because the keywords MOVER_END and MOVER_BEGIN define a set of MOVER selection criteria.
XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros E14: XMA_INSTALL_LICENSE The XMA_INSTALL_LICENSE macro allows the XMA security administrator to check on a newly received license file and optionally load it to P28F001 on the volume and subvolume where XMA is installed. If you choose to load the new license, XMA renames the current license file (at the red arrow below) out of the way and moves the new license into place.
XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros E15: XMA_LOAD_DEFINES The XMA_LOAD_DEFINES macro loads the DEFINES for your SQL Database. Example Load Defines: 17> xma_load_defines Adding MA DATABASE defines ... Deleting MA DATABASE defines ...
XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros E18: XMA_NETWORK_VERSION The XMA_NETWORK_VERSION macro is a network version of the XMA_VERSION macro. When executed, XMA_NETWORK_VERSION will compare the programs in the main XMA subvolume against the programs on the remote nodes. The license files will also be checked. If expired licenses or out-of-sync modules are discovered, a message will be displayed.
XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros E20: XMA_PWCOOL Restart your XMA Pathway with the configuration it had when you last shut it down. Refer to XMA_PWCOLD above. E21: XMA_PWSTOP Freezes and stops your Serverclasses and stops the PATHMON process using the PATHCOM shutdown command. It also saves your Pathway configuration information in the PWSTATE file. The information in the PWSTATE file is used when restarting your Pathway.
XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros Running $system.system.sqlcomp /in $SECURE.XYGATEMA.SFGMOVE, out $SECURE.XMADAT.DBOUT / catalog $SECURE.XMACAT SQLComping EMSMOVE .. Running $system.system.sqlcomp /in $SECURE.XYGATEMA.EMSMOVE, out $SECURE.XMADAT.DBOUT / catalog $SECURE.XMACAT SQLComping XYGATEMA .. Running $system.system.sqlcomp /in $SECURE.XYGATEMA.XYGATEMA, out $SECURE.XMADAT.DBOU T/ catalog $SECURE.XMACAT SQLComping ARCHIVE .. Running $system.system.sqlcomp /in $SECURE.
XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros E24: XMA_SYNTAX_CHECK The syntax check macro will perform a syntax check on the FILTERS file if all three filenames are specified. If you do not specify any filenames, only the files called MACONF and MAACL will be examined. If you only want to check the FILTERS file, use the XMA_FILTERS_CHECK macro instead.
XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros E25: XMA_UPDATE_FILTERS The XMA_UPDATE_FILTERS macro installs the NEWFILT file into production by renaming the current FILTERS file to OLDFLT and renaming NEWFILT as FILTERS. Syntax xma_update_FILTERs In Example 1 below the XMA_UPDATE_FILTERS macro looks for the file NEWFILT. If it is present, the production FILTERS file is renamed to OLDFLT2, and the file NEWFILT is renamed to FILTERS.
XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros E26: XMA_VERSION The XMA_VERSION macro displays the version and license information for your XMA installation on the Master node. The macro XMA_NETWORK_VERSION described in Appendix E18: performs the same function for the remote (Child) nodes. $SECURE XYGATEMA 3> xma_version This is version 2.
XYGATE Merged Audit® Reference Manual Appendix E: XMA Host Macros E27: XMA_VOLUME The XMA_VOLUME macro takes you to your XMA installation subvolume.
Appendix F: TCLEXC The structures below are used when the DATAFILTERTYPE = MACROFILTER is specified. The data in this structure is also available for use when the ALERT option RUNCMD is specified. This information is contained in the file TCLEXC in your Parent XMA installation subvolume.
XYGATE Merged Audit® Reference Manual Appendix F: TCLEXC End; == Definition MASESSION created on 05/09/2012 at 14:10 ?Section MASESSION Struct Begin STRUCT RECORDSESSIONKEY; BEGIN CHAR BYTE(0:25); END; STRUCT RECORDINSTALLKEY; BEGIN CHAR BYTE(0:25); END; STRUCT SESSIONID; BEGIN CHAR BYTE(0:35); END; CHAR FOUNDSESSIONSTART; CHAR FOUNDSESSIONEND; STRUCT IPADDRV46; Begin INT INDICATOR; STRUCT VALU; BEGIN CHAR BYTE(0:45); END; End; STRUCT SESSIONNAME; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL
XYGATE Merged Audit® Reference Manual Appendix F: TCLEXC STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:49); END; End; End; STRUCT DNSNAME; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:99); END; End; End; STRUCT CLIENTCURRDIR; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:199); END; End; End; End; == Definition MAAUDIT created on 05/09/2012 at 14:10 ?Section MAAUDIT Struct Begin STRUCT RECORDGMT; BEGIN CHAR BYTE(0:25); END; STRUC
XYGATE Merged Audit® Reference Manual Appendix F: TCLEXC Begin INT INDICATOR; STRUCT VALU; BEGIN CHAR BYTE(0:7); END; End; STRUCT TARGET^USERNUMBER^MAJOR; Begin INT INDICATOR; STRUCT VALU; BEGIN CHAR BYTE(0:7); END; End; STRUCT TARGET^USERNUMBER^MINOR; Begin INT INDICATOR; STRUCT VALU; BEGIN CHAR BYTE(0:7); END; End; STRUCT SUBJECTLOGIN; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:39); END; End; End; STRUCT SUBJECTSYSTEM; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; S
XYGATE Merged Audit® Reference Manual Appendix F: TCLEXC Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:199); END; End; End; STRUCT OPERATION; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:127); END; End; End; STRUCT TERMINAL; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:63); END; End; End; STRUCT MESSAGEID; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:19); END; End; End; STRUCT MESSAGECODE; Begin INT INDICAT
XYGATE Merged Audit® Reference Manual Appendix F: TCLEXC INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:255); END; End; End; STRUCT USER^DATA; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:15); END; End; End; End; == Definition TACLCMD created on 05/09/2012 at 14:10 ?Section TACLCMD Struct Begin STRUCT RUNMODE; BEGIN CHAR BYTE(0:9); END; STRUCT COMMAND; BEGIN CHAR BYTE(0:511); END; STRUCT PRODUCT; Begin STRUCT PRODUCTCODE; BEGIN CHAR BYTE(0:9); END; STRUCT PRODUCTNAME; Begin INT LE
XYGATE Merged Audit® Reference Manual Appendix F: TCLEXC STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:99); END; End; End; End; STRUCT SESSION; Begin STRUCT RECORDSESSIONKEY; BEGIN CHAR BYTE(0:25); END; STRUCT RECORDINSTALLKEY; BEGIN CHAR BYTE(0:25); END; STRUCT SESSIONID; BEGIN CHAR BYTE(0:35); END; CHAR FOUNDSESSIONSTART; CHAR FOUNDSESSIONEND; STRUCT IPADDRV46; Begin INT INDICATOR; STRUCT VALU; BEGIN CHAR BYTE(0:45); END; End; STRUCT SESSIONNAME; Begin INT INDICATOR; STRUCT VALU; Begin INT LE
XYGATE Merged Audit® Reference Manual Appendix F: TCLEXC BEGIN CHAR BYTE(0:49); END; End; End; STRUCT ANCESTORPROCESSTHREADID; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:49); END; End; End; STRUCT DNSNAME; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:99); END; End; End; STRUCT CLIENTCURRDIR; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:199); END; End; End; End; STRUCT AUDIT; Begin STRUCT RECORDGMT; BEGIN
XYGATE Merged Audit® Reference Manual Appendix F: TCLEXC INT INDICATOR; STRUCT VALU; BEGIN CHAR BYTE(0:7); END; End; STRUCT SUBJECT^USERNUMBER^MINOR; Begin INT INDICATOR; STRUCT VALU; BEGIN CHAR BYTE(0:7); END; End; STRUCT TARGET^USERNUMBER^MAJOR; Begin INT INDICATOR; STRUCT VALU; BEGIN CHAR BYTE(0:7); END; End; STRUCT TARGET^USERNUMBER^MINOR; Begin INT INDICATOR; STRUCT VALU; BEGIN CHAR BYTE(0:7); END; End; STRUCT SUBJECTLOGIN; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0
XYGATE Merged Audit® Reference Manual Appendix F: TCLEXC End; STRUCT OBJECTNAME; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:199); END; End; End; STRUCT OPERATION; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:127); END; End; End; STRUCT TERMINAL; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:63); END; End; End; STRUCT MESSAGEID; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0
XYGATE Merged Audit® Reference Manual Appendix F: TCLEXC STRUCT RESULT; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:255); END; End; End; STRUCT USER^DATA; Begin INT INDICATOR; STRUCT VALU; Begin INT LEN; STRUCT VAL; BEGIN CHAR BYTE(0:15); END; End; End; End; End; == Definition TACLRSP created on 05/09/2012 at 14:10 ?Section TACLRSP Struct Begin STRUCT EYECATCHER; BEGIN CHAR BYTE(0:9); END; STRUCT RESULT; BEGIN CHAR BYTE(0:9); END; STRUCT DIAGNOSTICS; BEGIN CHAR BYTE(0:511
XYGATE Merged Audit® Reference Manual Appendix F: TCLEXC XYPRO Technology Corporation 238 Proprietary and Confidential
Appendix G: Data Mapping Data Selection Criteria is used to select audit events based on the contents of the normalized audit data record. Every column that is utilized for a given target product is available for generating an ACTION in a Filter. Data selection criteria is based entirely on the product whose audit trail the MOVER is reading.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G1: General Notes on Data Mapping Columns These notes apply to all of the products. Notes unique to a particular product’s audit trail are included with the product’s data mapping tables. General Note 1 The value in the PARTITIONKEY column of both the Audit Detail (AUDDET) and Audit Session (AUDSESS) tables is assigned during processing. If the AUDDET and AUDSESS are not partitioned, the partition key will be set to a value of 2.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping General Note 4: The ALERTED Column will contain one of the following values: A ALERT Issued B Blocked the record was eligible for and ALERT but the parameter BLOCKALERTS is set to TRUE (refer to section 6.9, “MOVER Parameters” on page 129 for more information).
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G2: Column Descriptions This table shows the contents of the columns. Refer to the individual product tables for the product-specific details. Column Type Description SESSION.RECORDSESSIONKEY timestamp Unique timestamp created when the first session row is inserted into the XMA database. SESSION.RECORDINSTALLKEY timestamp Links to the INSTALL.RECORDINSTALLKEY. SESSION.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping Column Type Description INSTALL.IPADDRV46 Char 46 IP address of the NonStop server node where the product (XAC, SFG, etc.) that generated the event is running (therefore, the node where the event occurred). INSTALL.SYSTEMNAME Varchar 64 The NonStop server node where the product that generated the event is running. INSTALL.LOCATION Varchar 200 The installation subvolume of the product (XAC, B24, etc.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping Column Type Description AUDIT.ALERTED Char 1 One character indicating whether or not XMA generated an alert when it processed the event. See General Note 4 on page 241 above. AUDIT.PRODUCTCODE varchar 10 The product (XAC, SFG, etc) that generated the audit record (links to INSTALL.PRODUCTCODE). AUDIT.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G3: How to Use the Data Mapping Tables The following illustration is a “key” to interpreting the data mapping for all the different sources of data that go into the XMA database. For example, if you are looking at the SAFEGUARD data mapping, this illustration will help you understand how to interpret the information provided.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G4: BASE24 Data Mapping BASE24 Audit Detail Table Column Type Record Contents PARTITIONKEY See General Note 1, pg 240. numeric 4 MOVER Generated RECORDGMT See General Note 2.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping BASE24 Note 1 The OBJECTNAME for files is determined by matching the numeric value in audit log to the description in the OMFOBJT file found in the XYGATEMA subvolume. If you have customized your OMFOBJT file, you should replace the file in the XYGATEMA subvolume with a copy of your file.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping BASE24 Note 4 When the OBJECTTYPE = USER and the OPERATION = CHANGE, it represents a change to the SEC file.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G5: BASE24-eps Data Mapping BASE24-eps Audit Detail Table Column Type PARTITIONKEY See General Note 1, pg 240. numeric 4 RECORDGMT See General Note 2. timestamp GMTSEQNO char 2 MOVER Generated RECORDLCT timestamp AudtEntryTm RECORDAUDITKEY timestamp MOVER Generated RECORDSESSIONKEY timestamp MOVER Generated SEQNO char 9 OUTCOME See General Note 3.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping Mapping Notes File Structure: The UALOGD file contains records that consist of two parts. The first part is a fixedlength area containing fixed-length fields. The second part is a large buffer containing data in XML format. Information is being extracted from this data and used to populate columns in the XMA database. The data mapping notes below will include the appropriate XML Tags.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping Operation = Update: value value name AUDDET.RESULT Column name changed from before value to after value Example: Column: pin_chg_dat changed from 6C to 00 Operation = Delete: name value AUDDET.RESULT Column name value Example: Column encrypt_chk_values E50668 AUDDET.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping BASE24-eps Audit Session Table Column Type Record Contents PARTITIONKEY. numeric 4 MOVER Generated RECORDSESSIONKEY timestamp MOVER Generated RECORDINSTALLKEY timestamp MOVER Generated SESSIONID char 36 See BASE24-eps Note 7.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping Reference: BASE24-eps Audit Log Record audit. FILE is ualogd KEY-SEQUENCED. 02 seq1 type 02 seq2 type 02 PRIKEY. 03 UserID 03 AudtEntryTm Type 03 AudtEntryId 03 AudtEntrySeqNum 03 AudtSeqNum 03 AudtEntryTm1 02 02 02 02 02 02 02 02 02 02 UserID1 AudtEntryId1 seq3 seq4 Datasrc AudtEntryType SrvcID Flag AppIdFnd AudtEntryDetl type type Type type type BINARY 16. BINARY 16. PIC X(50). BINARY 16 OCCURS 4 TIMES. PIC X(20). BINARY 16. BINARY 16.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G6: HLR Data Mapping HLR Audit Detail Table Column Type Record Contents PARTITIONKEY See General Note 1, pg 240. numeric 4 MOVER Generated RECORDGMT See General Note 2. timestamp MOVER Generated (the GMT time equivalent of AUDIT.RECORDLCT). GMTSEQNO char 2 MOVER Generated RECORDLCT timestamp Date-time (the Local time that the audit event occurred (as recorded in the HLR audit trail).
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping HLR Audit Detail Table Column Type Record Contents OPERATION-Activity varchar 128 The DPA Command: ADD, READ, DELETE, UPDATE, CHANGEKEY, LOGON, LOGOFF, GETSESSIONINFO. TERMINAL varchar 64 MESSAGEID varchar 20 The DPA Target:Name, which indicates the subtype of object being changed: USERID, MKEY, KEY. See HLR Note 1. MESSAGECODE varchar 20 The DPA ResultCode, or the message ; See HLR Notes 2 and 6.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping HLR Note 1 – DPA Entity-Type The entity being manipulated. The most common values are: USER, GSUB, SIM, or CGSUB Processing Based on Entity Type: Entity-Type = User (Indicates a logon, logoff, or a change to DPA userid) DPA Identifier Value Notes XMA Column EntityType= USER Entity Type being manipulated AUDIT.OBJECTTYPE Name= USERID Type of obj being manipulated AUDIT.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping Entity-Type = GSUB, CGSUB, or SIM (Indicates that a cell phone account is being manipulated) DPA Identifier Value Notes XMA Column EntityType= GSUB, SIM, CGSUB Entity Type being manipulated AUDIT.OBJECTTYPE Name= KEY Type of object being manipulated AUDIT.MESSAGEID User= Indicates the DPA userid that is making the change. AUDIT.SUBJECTLOGIN Command= DPA Command= Operation performed AUDIT.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping HLR Note 2 - DPA Message The DPA "Messages" are error messages and are only present when DPA ResultCode equals –1. The HLR MOVER processes messages as shown in the following table: DPA Identifier DPA Message= DPA ResultCode= Value Notes XMA Column Domain= The “part” of the record that got the error Id= The error number = Error description AUDIT.RESULT The word "TEXT" AUDIT.RULENAME –1 = fail 0 = success AUDIT.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping HLR Note 5 – "Select-Params" The Select Params are: • ALT-IMSI-DIGITS • GSM-O-CSI-ACTIVE • ECMN-SMS-CSI-ACTIVE • CLIR-AUTH • CLIP-ACT When any of the select-params are present in an audit record: • A new row is created that includes only the select param(s) and their values (0 or 1) as a comma-separated list. • This "special" row will have the word "FLAG" placed in the AUDIT.RULENAME column.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping HLR Note 7 The entry in the AUDIT.RULENAME column indicates the type of data in the AUDIT.RESULT column for the record. AUDIT.RULENAME AUDIT.RESULT TEXT Error description PARAM Property String FLAG Sensitive Param(s) only HLR Audit Session Table Column Type Record Contents PARTITIONKEY See General Note 1, pg 240.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G7: EMS Data Mapping EMS Audit Detail Table Column Type Record Contents PARTITIONKEY See General Note 1, pg 240. numeric(4) MOVER Generated RECORDGMT See General Note 2.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping EMS Note 1 A) For SUBJECT_USERNUMBER_MAJOR and SUBJECT_USERNUMBER_MINOR: 1. If ZEMS_TKN_PROC_DESC is equal to ZEMS_TKN_XSENDERID_PD in the event, then the generator of the event is the same as the reporter of the event, and ZEMS_TKN_USERID will be used. 2.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping EMS Note 4 The CLIENTPROGRAM column will be updated based on the value of the parameter EMSSENDERPROCESSLOOKUP: • EMSSENDERPROCESSLOOKUP = None The MOVER will not look up the client program so CLIENTPROGRAM will be "NULL". • EMSSENDERPROCESSLOOKUP = ALL The MOVER will look up the client program and update the column.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping Special Processing for BASE24 EMS Audits The EMS MOVER parses messages from BASE24 differently: Table and Column EMS MOVER AUDIT.PRODUCTCODE Fill in the text "BASE24 EMS" AUDIT.SUBJECTLOGIN Base24 username or user number AUDIT.TARGETLOGIN Contents of the Base24 ID’s SEC record ALIAS field AUDIT.OBJECTTYPE OBJECTTYPE (e.g., PROCESS, DEVICE, STATION, LINK, etc.) AUDIT.OBJECTNAME For XPSNCPI = the object named in the RESULT.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping Special Processing for ODBC/MX Audits The SEQNO and OPERATION field contain special values for SQL/MX records. SEQNO 000000000 denotes the beginning of the SQL/MX Session 999999999 denotes the end of the SQL/MX Session Operation The values in the OPERATION column vary depending on the ODBC/MX configuration.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping Special Processing for CLIM The EMS MOVER parses messages from CLIMs differently as outlined in the following table: TABLE.COLUMN AUDIT.OBJECTTYPE SSID AUDIT.OPERATION CLIM-ACCEPT-PUBKEY, CLIM-OPEN-SESSION, CLIM-CLOSE-SESSION, CLIM-DISCONNECT AUDIT.MESSAGECODE PORT Process + Terminal AUDIT.TERMINAL AUDIT.RULENAME CLIM name SESSION.SESSIONID Processed + timestamp SESSION.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping Special Processing for XYGATE SSH Encryption (SSH) The EMS MOVER parses AUTHENTICATION messages from XSH as outlined in the following table.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G8: iTP Secure WebServer Mapping iTP Secure WebServer Audit Detail Table Column Type Record Contents PARTITIONKEY. numeric 4 RECORDGMT See General Note 2. timestamp GMTSEQNO char 2 MOVER Generated RECORDLCT timestamp time RECORDAUDITKEY timestamp MOVER Generated RECORDSESSIONKEY timestamp MOVER Generated SEQNO char 9 OUTCOME See General Note 3.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping iTP Secure WebServer Audit Detail Table Column Type FOUNDSESSIONSTART char 1 FOUNDSESSIONEND char 1 SESSIONNAME varchar 40 PROCESSTHREADID varchar 50 PROCESSTHREADID2 varchar 50 CLIENTPROGRAM varchar 50 ANCESTORPROCESSTHREADID varchar 50 IPADDRV46 char 46 Web client if ipaddress DNSNAME varchar 100 Web Client if FQDN CLIENTCURRDIR varchar 200 XYPRO Technology Corporation 269 Record Contents Proprietary and Confidentia
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G9: Measure Data Mapping MEASURE Audit Detail Table Column Type Record Contents PARTITIONKEY See General Note 1, pg 240. numeric 4 RECORDGMT See General Note 2. timestamp GMTSEQNO char 2 MOVER Generated RECORDLCT timestamp Creation time RECORDAUDITKEY timestamp MOVER Generated RECORDSESSIONKEY timestamp MOVER Generated SEQNO char 9 System Generated OUTCOME See General Note 3.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping MEASURE Audit Session Table Column Type PARTITIONKEY See General Note 1, pg 240.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G11: Safeguard Data Mapping Refer to Chapter 7, “Safeguard Selection Criteria” starting on page 135 for more information. SAFEGUARD Audit Detail Table Column Type PARTITIONKEY See General Note 1, pg 240. numeric 4 RECORDGMT See General Note 2.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping SFG Note 1 The data extracted from the SAFEGUARD audit logs is the same data extracted by XSR SFG Note 2 The SEQNO is set as follows: • The primary record will be assigned a sequence number of 1. • Subsequent records will be assigned a sequence number of 2. • The actual value from the field rec-type will be in the MESSAGEID column. • Refer to section 7.4, “Safeguard MessageIDs” on page 141 for more information on Safeguard MESSAGEIDs.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G12: XYGATE Access Control (XAC) Data Mapping XAC Audit Detail Table Column Type XAC-I XAC-O XAC-E XAC-C PARTITIONKEY See General Note 1, pg 240. numeric(4) MOVER Generated RECORDGMT See General Note 2.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping XAC Note 1 For XAC, the MESSAGECODE column shows whether or not the XAC command was executed successfully. If the field is blank, the OUTCOME is converted to a 1 (Success). If there is any text in the field (that is, any error/denial messages), the OUTCOME is converted to a 3 (Fail). The text of the message is placed in the RESULT column. XAC Note 2 The RESULT column contains the text description associated with the value in the OUTCOME column.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G13: XYGATE Supported CMON (XCM) Data Mapping XCM Audit Detail Table Column Type PARTITIONKEY See General Note 1, pg 240. numeric 4 RECORDGMT See General Note 2. timestamp GMTSEQNO char 2 MOVER Generated RECORDLCT timestamp Date-time RECORDAUDITKEY timestamp MOVER Generated RECORDSESSIONKEY timestamp MOVER Generated SEQNO char 9 Sequence-number OUTCOME See General Note 3. char 1 See XCM Note 1.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping XCM Note 1 For XCM, the possible MESSAGECODES are: • R" ", which translates to an OUTCOME of 1 (Success) • D(eny), which translates to an OUTCOME of 3 (Fail) XCM Note 2 The OBJECTTYPE and OBJECTNAME columns will be updated based on the data in the OPERATION column (activity-type) in the XCM audit record as shown in the table below. XCM Note 3 For XCM, the OPERATION column shows the "Activity-type".
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping XCM Audit Session Table Column Type PARTITIONKEY See General Note 1, pg 240.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G14: XYGATE Host Encryption (XHE) Data Mapping XHE Audit Detail Table Column Type PARTITIONKEY See General Note 1, pg 240. numeric 4 RECORDGMT See General Note 2. timestamp GMTSEQNO char 2 MOVER Generated RECORDLCT timestamp Date-time RECORDAUDITKEY timestamp MOVER Generated RECORDSESSIONKEY timestamp MOVER Generated SEQNO char 9 Sequence-number OUTCOME See General Note 3. char 1 See XHE Note 1.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping XHE Note 1 For XHE, a MESSAGECODE of D(eny) or F(ail), which translates as an OUTCOME of 3. Otherwise, the OUTCOME will be 1 (Success). XHE Note 2 For XHE, the OBEJCTTYPE will be "FILE", "USER", or "MISC". If the OBJECTTYPE is set to FILE, then the byte-transferred:transfer-time will also be included: Example: FILE:000000003456:000000233 XHE Audit Session Table Column Type PARTITIONKEY See General Note 1, pg 240.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G15: XYGATE Key Management (XKM) Data Mapping XKM Audit Detail Table Column Type Record Contents PARTITIONKEY See General Note 1, pg 240. numeric 4 RECORDGMT See General Note 2. timestamp GMTSEQNO char 2 MOVER Generated RECORDLCT timestamp Date-time RECORDAUDITKEY timestamp MOVER Generated RECORDSESSIONKEY timestamp MOVER Generated SEQNO char 9 Sequence-number OUTCOME See General Note 3. char 1 See XKM Note 1.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping XKM Audit Session Table Column Type PARTITIONKEY See General Note 1, pg 240.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G16: XYGATE Process Control (XPC) Data Mapping XPC Audit Detail Table Column Type XPC-I XPC-E XPC-S XPC-R† XPC-D PARTITIONKEY See General Note 1, pg 240. numeric 4 MOVER Generated RECORDGMT See General Note 2.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping XPC Note 1 For XPC, an MESSAGECODE of "deny", causes an OUTCOME of 3. Otherwise, the OUTCOME will be 1 (success). XPC Note 2 (applicable to XPC 3.55 and up) For MESSAGEID = “XPC-R” the value will be “XPC-REASON” for MESSAGEID = “XPC-I”, “XPC-S”, and “XPC-E” the value will be the contents of the field XPC-COMMAND. XPC Note 3 (applicable to XPC 3.55 and up) For MESSAGEID = “XPC-R” the value will be the contents of the field XPC-COMMAND.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G17: XYGATE Password Quality (XPQ) Data Mapping XPQ Audit Detail Table Column Type Record Contents PARTITIONKEY See General Note 1, pg 240. numeric 4 RECORDGMT See General Note 2. timestamp GMTSEQNO char 2 MOVER Generated RECORDLCT timestamp Date-time RECORDAUDITKEY timestamp MOVER Generated RECORDSESSIONKEY timestamp MOVER Generated SEQNO char 9 Sequence-number OUTCOME See General Note 3. char 1 See XPQ Note 1.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping XPQ Audit Session Table Column Type PARTITIONKEY See General Note 1, pg 240.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G18: XYGATE Object Security (XOS) Data Mapping XOS Audit Detail Table Column Type PARTITIONKEY See General Note 1, pg 240. numeric 4 RECORDGMT See General Note 2. timestamp GMTSEQNO char 2 MOVER Generated RECORDLCT timestamp Date-time RECORDAUDITKEY timestamp MOVER Generated RECORDSESSIONKEY timestamp MOVER Generated SEQNO char 9 Sequence-number OUTCOME See General Note 3. char 1 See XOS Note 1.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping XOS Note 1 For XOS, the possible MESSAGECODES are: • 01 (Grant) , which is translated to an OUTCOME of 1 (Success) • 02 (No Record), which translates to an OUTCOME of 2 (No Record) • 03 (Denied), which translates to an OUTCOME of 3 (Fail) XOS Note 2 For XOS the OBJECTNAME can come from one of two fields: • For Guardian objects the Object-Name • For OSS Objects Oss-Pathname If the Oss-Pathname is longer than 200 characters, the first 1
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G19: XYGATE Safeguard Manager (XSM) Data Mapping XSM Audit Detail Table Column Type PARTITIONKEY See General Note 1, pg 240. numeric 4 RECORDGMT See General Note 2. timestamp GMTSEQNO char 2 MOVER Generated RECORDLCT timestamp Date-time RECORDAUDITKEY timestamp MOVER Generated RECORDSESSIONKEY timestamp MOVER Generated SEQNO char 9 Sequence-number OUTCOME See General Note 3.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping XSM Audit Session Table Column Type PARTITIONKEY See General Note 1, pg 240.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G20: XYGATE Combined Spoolcom Peruse Data Mapping (XSP) XSP Audit Detail Table Column Type PARTITIONKEY See General Note 1, pg 240. numeric 4 RECORDGMT See General Note 2. timestamp GMTSEQNO char 2 MOVER Generated RECORDLCT timestamp Date-time-data RECORDAUDITKEY timestamp MOVER Generated RECORDSESSIONKEY timestamp MOVER Generated SEQNO char 9 OUTCOME See General Note 3.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping XSP Audit Session Table Column Type PARTITIONKEY See General Note 1, pg 240.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G21: XYGATE Transaction Router (XTR) Data Mapping XTR Audit Detail Table Column Type PARTITIONKEY See General Note 1, pg 240. numeric 4 RECORDGMT See General Note 2. timestamp GMTSEQNO char 2 MOVER Generated RECORDLCT timestamp Date-time RECORDAUDITKEY timestamp MOVER Generated RECORDSESSIONKEY timestamp MOVER Generated SEQNO char 9 Sequence-number OUTCOME See General Note 3. char 1 See XTR Note 1.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping XTR Note 1 XTR has four possible OUTCOME codes: G(rant) XTR granted the access based on rules defined in the TRACL file. D(eny) XTR denied the access based on rules defined in the TRACL file. S(uccess) A successful XTR operation carried out on behalf of one of the GUIs such as running a macro or creating a file. F(ail) A successful XTR operation carried out on behalf of one of the GUIs such as running a macro or creating a file.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G22: XYGATE User Authentication (XUA) Data Mapping XUA Audit Detail Table Column Type PARTITIONKEY See General Note 1, pg 240. numeric 4 RECORDGMT See General Note 2. timestamp GMTSEQNO char 2 MOVER Generated RECORDLCT char 26 Date-time-data RECORDAUDITKEY Record Contents MOVER Generated RECORDSESSIONKEY timestamp MOVER Generated SEQNO char 9 Sequence-number Outcome See General Note 3.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping XUA Audit Session Table Column Type PARTITIONKEY See General Note 1, pg 240.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping G23: XYGATE Compliance PRO (XSW) Data Mapping XSW Audit Detail Table Column Type PARTITIONKEY See General Note 1, pg 240. numeric 4 RECORDGMT See General Note 2. timestamp GMTSEQNO char 2 MOVER Generated RECORDLCT timestamp Date-time-data RECORDAUDITKEY timestamp MOVER Generated RECORDSESSIONKEY timestamp MOVER Generated SEQNO char 9 Sequence-number OUTCOME See General Note 3.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping XSW Audit Session Table Column Type PARTITIONKEY See General Note 1, pg 240.
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping XPC-P07 XCM-P08 XSP-P09 XPQ-P15 XOS-P19 XUA-P25 XSM-P26 XKM-P32 XHE-P39 XTR-P46 XSW-P44 BASE24 EMS MEASURE SFG Column Usage Table XAC-P06 G24: X X X X X X X X X X X X X X X X SEQNO X X X O X X X O X X X X OUTCOME X X X X X X X X X X X X X COLUMN PARTITIONKEY RECORDGMT GMTSEQNO RECORDLCT RECORDAUDITKEY RECORDSESSIONKEY WARNINGMODE X TESTMODE X X X X X X X SEVERITY ALERTED PROD
X X X X DNSNAME X SFG MEASURE EMS BASE24 XSW-P44 XTR-P46 XHE-P39 XKM-P32 X XSM-P26 X XUA-P25 X XOS-P19 X X ANCESTORPROCESSTHREADID XPQ-P15 XCM-P08 X CLIENTPROGRAM XSP-P09 XPC-P07 COLUMN XAC-P06 XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping X X X CLIENTCURRDIR X Key System or Mover generated Not Applicable XYPRO Technology Corporation O 300 Proprietary and Confidential
XYGATE Merged Audit® Reference Manual Appendix G: Data Mapping XYPRO Technology Corporation 301 Proprietary and Confidential
Glossary This glossary provides explanations of the XMA components, including files and macro, as well as the keywords used in the MACONF and the FILTERS file. ACTIONTYPE Filter Keyword The ACTIONTYPE keyword determines the type of ALERT that will be generated when an event matching the selection criteria of the Filter is detected.
XYGATE Merged Audit® Reference Manual Glossary ALERTTARGET Filter Keyword Filters with an ALERT ACTIONTYPE require the ALERTTARGET keyword to define where the EMS message should be sent. Most often it will be your EMS collector. If you choose to do so, you could send all the ALERTS for all the nodes on your network to a single, dedicated EMS collector located on the Parent node. In this case, enter the master node’s name. The default is \.$0, where system is the node where the MOVER is running.
XYGATE Merged Audit® Reference Manual Glossary ALERTTOKENS Filter Keyword This is a list of columns you wish to display from the AUDIT DETAIL TBL, and AUDIT SESSION TBL. The default is all of the data from the AUDIT DETAIL TBL and AUDIT SESSION TBL. Syntax: ALERTTOKENS ...< column > ALERTTOKENSEND APPMOVE Program APPMOVE is the program that reads the iTP Secure WebServer audits.
XYGATE Merged Audit® Reference Manual Glossary Data Selection Criteria Data Selection Criteria is used to select audit events based on the contents of the normalized data record. Every field that is utilized for a given target product is available for generating an ALERT or ACTION in a Filter. For example, if you wish to act on failed attempts to access files: • Use the AUDIT.OUTCOME column to select audit records where this field indicates a denial. • Use the AUDIT.
XYGATE Merged Audit® Reference Manual Glossary EMS Templates and Macros The EMS Message Format Templates allow the output from ALERTS and program messages written to EMS to be tokenized and organized as desired by the customer. The following three files are supplied at installation to allow this customization: EMSBUILD A macro to build the template file based on the system templates and the EMSTEMP file. EMSDDL The DDL layout for the EMS messages.
XYGATE Merged Audit® Reference Manual Glossary FILTERS File A file containing a set of rules used by the various MOVER Serverclasses while collecting audit and process ancestry data. These rules fall into two categories: (1) the first is audit data that should not be inserted into the consolidated SQL Database, and (2) the second category is ALERTS. These are issued when events you specify are detected.
XYGATE Merged Audit® Reference Manual Glossary IPALERT Filter Keyword The IPALERT ACTIONTYPE sends an ALERT message to a TCP/IP address or 'SYSLOG' console when an event matching the selection criteria of the Filter is detected. See also, ALERTSTRING, IPALERT_ADDRESS, IPALERT_PORT, IPALERT_PREFIX and IPALERT_PROCESS. IPALERT_ADDRESS Filter Keyword Filters with an IPALERT ACTIONTYPE require the IPALERT_ADDRESS keyword to define the TCP/IP address where XMA will send the string meant for a SYSLOG.
XYGATE Merged Audit® Reference Manual Glossary MACONFB MACONFB is the compiled version of the FILTERS file. It is created using the FILTCOMP program. MAIL Filter Keyword The MAIL ACTIONTYPE sends an email message when an event matching the selection criteria of the Filter is detected. See also, MAIL_SRV, MAIL_PORT, MAIL_LOCAL_DOMAIN, MAIL_FROM, MAIL_TO, MAIL_SUBJECT and MAIL_BODY.
XYGATE Merged Audit® Reference Manual Glossary MAIL_LOCAL_DOMAIN Filters with a MAIL ACTIONTYPE require the MAIL_LOCAL_DOMAIN keyword to define the mail domain. This keyword is optional for MAIL alerts. Some mail servers, such as LOTUS, require a local domain name. Microsoft Outlook does not require a domain name. Consult your mail administrator for additional information. MAIL_SRV Filter Keyword Filters with a MAIL ACTIONTYPE require the MAIL_SRV keyword to define the name of target mail server.
XYGATE Merged Audit® Reference Manual Glossary MAXACTIONRATE Filter Keyword This keyword acts like an EMS throttle. It allows you to specify how often you want to receive notification if the same situation occurs. All the activity will still be written to the XMA database. This field only controls the number of alerts generated. Omitting this parameter would cause ALERTS and/or ACTIONS to occur for any eligible record no matter how often the activity is occurring.
XYGATE Merged Audit® Reference Manual Glossary MAXCOMPLETIONTIME Filter Keyword The MAXCOMPLETIONTIME keyword sets the time-out parameter for a RUNCMD ACTIONTYPE. If the processing specified within a RUNCMD block cannot be completed within the specified time period, an error message will be generated and processing will continue. The default value for this parameter is 300 seconds (5 minutes).
XYGATE Merged Audit® Reference Manual Glossary MOVERs MOVERs are Serverclasses. They are processes that read the various product audit files and generate alerts and/or update the XMA database. There are three types of MOVERs: 1. Alert-Only, which only generate alerts. They do not update the XMA database. 2. Collect-Only, which only update the XMA database. They do not generate alerts. 3. Regular (combined Alert and Collect), which both generate alerts and update the XMA database.
XYGATE Merged Audit® Reference Manual Glossary PARSAMP Macro This file contains sample SQLCI commands that can be used to partition your AUDIT SESSION and AUDIT DETAIL tables. Refer to Appendix E: “XMA Host Macros” starting on page 203 for more information. PRODUCT MOVER Criteria Keyword This keyword is used to specify the desired MOVER’s target product.
XYGATE Merged Audit® Reference Manual Glossary RUNCMD Filter Keyword This ACTIONTYPE allows you to run custom processes. This would include any process which can be executed from TACL (non-block-mode). You should always set the MAXCOMPLETIONTIME for RUNCMD ACTIONTYPEs; otherwise, the MOVER may not move on to process subsequent audit records. All of the processing to take place must appear between the keywords RUNCMDDEFBEGIN and RUNCMDDEFEND.
XYGATE Merged Audit® Reference Manual Glossary SNMP TRAP Filter Keyword Filters with an SNMP TRAP ACTIONTYPE send a message to the defined SNMP TRAP when an event matching the selection criteria of the Filter is detected. See also SNMP_TRAPDEST, SNMP_IPPROCESS, SNMP_TRAPNUMBER, SNMP_COMMUNITY, and SNMP_MESSAGE. SNMP_TRAPDEST Filters with an SNMP TRAP ACTIONTYPE require the SNMP_TRAPDEST keyword to define the IP address and PORT of the target SNMP process. The port number is optional.
XYGATE Merged Audit® Reference Manual Glossary SRCONF The SRCONF file is used by the XYGATESR object. The SRCONF file contains the following keywords: USE_SUBJECTCREATOR !Monitor !MonITOR_REPLY !DEBUG !CALL [OFF|ON] $S.#XSR.MONITOR The argument to the USE_SUBJECTCREATOR keyword is a value of ON or OFF. The default value for this keyword is OFF.
XYGATE Merged Audit® Reference Manual Glossary XMA (SQL) Database A complete discussion of the SQL Database can be found in Appendix B: and Appendix C: for Database Tables and in Appendix G: for Data Mapping. On a high level, the XMA database consists of the following: • Administrative Tables (Appendix B:) This set of tables contains configuration and process management information for the Serverclasses within the XMA Pathway.
XYGATE Merged Audit® Reference Manual Glossary XMA_COMPILE_FILTERS Macro XMA_COMPILE_FILTERS uses the FILTCOMP program to create a pre-compiled version of the FILTERS file called MACONFB that is loaded by the movers at startup time. The MACONFB file will be updated on all nodes. XMA_DBVOLUME Macro Once the XMA segment is attached, typing XMA_DBVOLUME will take you to the subvolume containing the XMA database tables. The default subvolume name is XMADAT.
XYGATE Merged Audit® Reference Manual Glossary XMA_LOAD_DEFINES Macro Once the XMA segment is attached, typing XMA_LOAD_DEFINES will load the DEFINES for your SQL Database. Refer to Appendix E: “XMA Host Macros” starting on page 203 for more information. XMA_MANAGER Macro The XMA_MANAGER macro is the primary tool for configuring and maintaining the XMA Pathway. You will use it to create and manage MOVER Serverclasses, and do database management.
XYGATE Merged Audit® Reference Manual Glossary XMA_REPORT Macro Once the XMA segment is attached, typing XMA_REPORT will display a menu of selection criteria to help you generate SQL queries against the XMA database. The reports will be sent to the spooler. Note: The XMA_REPORT Macro produces reports using the SQLCI Query and Report Writer functions. If you are not licensed for SQLCI in your installation, these macros are not available to you.
XYGATE Merged Audit® Reference Manual Glossary XYGATEMA Object file for the process that does the syntax checking on the MACONF file. XYGATESR XYGATESR is the object file for the program that normalizes the Safeguard audit records in preparation for adding it to the XMA database. It has an associated program called SRLIB which must be licensed. The XYGATESR and SRLIB programs work in conjunction with the SFGMOVE program.
XYGATE Merged Audit® Reference Manual Glossary XYPRO Technology Corporation 324 Proprietary and Confidential
Index XPC........................................................283 XPQ .......................................................285 XSM .......................................................289 XSP ........................................................291 XTR ........................................................293 XUA........................................................295 A Administrative Tables ................................ 167 ALERTSTRING ............
XYGATE Merged Audit® Reference Manual Index AutoInstall, Running ................................... 6 Generate Reports .................................... 25 GUI/PC Products ..................................... 23 MOVER Selection Keywords ................... 46 Running Automated Uninstall................... 21 Using AutoInstall ........................................ 1 Serverclass Naming Conventions ...........111 Starting ...................................................220 Time Ranges ............
XYGATE Merged Audit® Reference Manual Index TCP/IP ..................................................... 60 UDP ......................................................... 58 SYSLOG Messages .................................... 81 SYSLOGQ .................................................. 76 Filters Configuration ................................. 79 T TCLEXC.........................................52, 65, 227 TMF-Related Parameters.......................... 133 Troubleshooting ..............................
XYPRO Technology Corporation 328 Proprietary and Confidential