XYGATE Merged Audit Reference Manual
Table Of Contents
- Cover
- Copyright
- Publication History
- Contents
- Quick Reference for Common Tasks
- Introduction
- 1. Installing XMA
- 1.1 Before You Begin
- 1.2 Installing XMA Using the Automated Install Script
- 1.3 Installing the SIEM Log Adapter
- 1.4 Upgrading XMA or XTR Using the AutoInstall Script
- 1.5 Upgrade Considerations
- 1.6 Uninstalling XMA or XTR Using the Auto Uninstall Script
- 1.7 Managing the XYGATE License
- 1.8 Generate Reports Using XYGATE Report Manager (XRM)
- 2. Sending Data to Your ArcSight SIEM
- 3. Configuring Filters and the FILTERS File
- 3.1 How to Edit the FILTERS File
- 3.2 Filter Syntax
- 3.3 Building a Filter
- 3.3.1 Step 1. Name the Filter
- 3.3.2 Step 2. Set the Filter Status
- 3.3.3 Step 3: Set the EVALUATE_MSG Keyword
- 3.3.4 Step 4. Define the Filter’s Mover
- 3.3.5 Step 5. Define the Filter’s Data Selection Criteria
- 3.3.6 Step 6. Define the Filter’s Action
- 3.3.7 Step 7. Syntax Check and Compile Your FILTERS File
- 3.3.8 Step 8. Test Your Alerts
- 3.4 Variable Substitution Processing in the FILTERS File
- 3.5 Node-Conditional Processing in the FILTERS File
- 3.6 Determine the TCP/IP Process for Email, IPALERT, SNMP Alerts
- 3.7 Sending XMA Data to an Audit Logging Appliance
- 4. Generating Reports Using XRM
- 4.1 Generating Audit Reports Using XMA_REPORT
- 4.2 Select the Audit Subvolume
- 4.3 Select by Date and/or Time Range
- 4.4 Select by Subject Userid
- 4.5 Select by Subject Login Name(s)
- 4.6 Select by System
- 4.7 Select by Subject Terminal
- 4.8 Select Subject by Object Type
- 4.9 Select by Object Name
- 4.10 Select by Operation
- 4.11 Select By Outcome
- 4.12 Select the Output File’s Location
- 4.13 Select the Report’s Sort Order
- 4.14 Select by Rule Name
- 4.15 Select by XYGATE Product Code
- 4.16 Select by ALERTED Column
- 4.17 Select by Text in the Result Column
- 4.18 Select by Message Code
- 4.19 Select by Message ID
- 4.20 Run the Report
- 4.21 Running Reports from Archived Tables
- 5. Using XMA_MANAGER
- 6. Configuring MOVERs
- 7. Safeguard Selection Criteria
- 8. Maintaining the XMA Database
- 9. Troubleshooting
- A: The MACONF File
- B: Administrative Tables
- B1: XYGATE MOVER Configuration Tables
- B2: XYGATE MOVER State Tables
- B3: EMS MOVER Table =XMA__EMSMVTBL
- B4: EMS MOVER Parameters Table =XMA_EMSMVPARAMSTBL
- B5: EMS MOVER State Table =XMA_EMSMVSTATETBL
- B6: MEASURE MOVER Tables
- B7: SAFEGUARD MOVER Table =XMA_SFGMVTBL
- B8: SAFEGUARD Parameter Table =XMA_SFGMVPARAMSTBL
- B9: SAFEGUARD MOVER State Tables
- B10: BASE24 MOVER Table
- B11: BASE24 Parameter Table
- B12: BASE24 State Tables
- B13: TCP/IP Syslog Tables
- B14: HLR MOVER TABLE
- B15: HLR Parameter Table
- B16: HLR State Tables
- B17: iTP Secure WebServer MOVER Table
- B18: iTP Secure WebServer State Table
- B19: ARCHIVE Tables
- B20: PARAMS Table
- B21: SESSIONOIP Table
- C: Data Tables
- D: Sample Filters
- D1: Filter out $CMON’s “I’m Alive” Messages
- D2: Filter out XPC STATUS Commands
- D3: Filter out Safeguard reading its own user database
- D4: Filter out Safeguard No Record
- D5: Filter out XOS No Record
- D6: Filter out XOS What-if tests
- D7: Alert for SUPER.SUPER’s password change via XPQ
- D8: Alert when someone logs directly on as SUPER.SUPER
- D9: Alert for XAC command containing "–255"
- D10: Selecting security-related BASE24 EMS events
- D11: Selecting CLIM events
- E: XMA Host Macros
- E1: ADELMAC
- E2: ARCMAC
- E3: CLEANDB
- E4: EMSBUILD
- E5: PARSAMP
- E6: REMFIN
- E7: UPDSTAT
- E8: XMA_AUDIT_REPORT
- E9: XMA_COMPILE_FILTERS
- E10: XMA_DATETIME_MAKE
- E11: XMA_DBVOLUME
- E12: XMA_EDIT_FILTERS
- E13: XMA_FILTERS_CHECK
- E14: XMA_INSTALL_LICENSE
- E15: XMA_LOAD_DEFINES
- E16: XMA_NETWORK_FILTERS_CHECK
- E17: XMA_NETWORK_LICENSE_INSTALL
- E18: XMA_NETWORK_VERSION
- E19: XMA_PWCOLD
- E20: XMA_PWCOOL
- E21: XMA_PWSTOP
- E22: XMA_PWVOLUME
- E23: XMA_SQLCOMPALL
- E24: XMA_SYNTAX_CHECK
- E25: XMA_UPDATE_FILTERS
- E26: XMA_VERSION
- E27: XMA_VOLUME
- F: TCLEXC
- G: Data Mapping
- G1: General Notes on Data Mapping Columns
- G2: Column Descriptions
- G3: How to Use the Data Mapping Tables
- G4: BASE24 Data Mapping
- G5: BASE24-eps Data Mapping
- G6: HLR Data Mapping
- G7: EMS Data Mapping
- G8: iTP Secure WebServer Mapping
- G9: Measure Data Mapping
- G11: Safeguard Data Mapping
- G12: XYGATE Access Control (XAC) Data Mapping
- G13: XYGATE Supported CMON (XCM) Data Mapping
- G14: XYGATE Host Encryption (XHE) Data Mapping
- G15: XYGATE Key Management (XKM) Data Mapping
- G16: XYGATE Process Control (XPC) Data Mapping
- G17: XYGATE Password Quality (XPQ) Data Mapping
- G18: XYGATE Object Security (XOS) Data Mapping
- G19: XYGATE Safeguard Manager (XSM) Data Mapping
- G20: XYGATE Combined Spoolcom Peruse Data Mapping (XSP)
- G21: XYGATE Transaction Router (XTR) Data Mapping
- G22: XYGATE User Authentication (XUA) Data Mapping
- G23: XYGATE Compliance PRO (XSW) Data Mapping
- G24: Column Usage Table
- Glossary
- Index
XYGATE Merged Audit
®
Reference Manual
Glossary
XYPRO Technology Corporation 305 Proprietary and Confidential
ALERTTOKENS Filter Keyword
This is a list of columns you wish to display from the AUDIT DETAIL TBL, and AUDIT
SESSION TBL.
The default is all of the data from the AUDIT DETAIL TBL and AUDIT SESSION TBL.
Syntax:
ALERTTOKENS <column>...< column > ALERTTOKENSEND
APPMOVE Program
APPMOVE is the program that reads the iTP Secure WebServer audits.
APXMLITP File
The APXMLITP File contains information that is used by the APPMOVE program to
process iTP Secure Webserver audits. This file must be accompanied by a signature
file.
ARCHIVE Macro
The ARCHIVE macro removes data from the active XMA SQL database and places
the information in a set of ARCHIVE tables. This process can be automated by
creating a batch job to kick off the macro. The ARCMAC file in the XYGATEMA
subvolume is a sample batch job that you can use as a template for creating your own.
See also ARCMAC File and Chapter 6, “Configuring MOVERs” starting on page 109
for more information.
ARCMAC File
ARCMAC is a sample ARCHIVE batch job. Customize it for your environment if you
plan to archive your XMA data tables. Refer to Appendix E: “XMA Host Macros”
starting on page 203 for more information.
Collect-Only MOVERs
Collect-Only MOVERs only update the XMA database. They do not generate alerts.
Collect–only MOVERs are generally created in conjunction with Alert-Only MOVERs,
which provide the alerts for the activity on the remote nodes. Typically, Collect-Only
MOVERs are created for remote nodes to avoid the continuous EXPAND traffic
required to update the XMA database. They “wake-up” during off peak hours to update
the day’s audit events to the XMA database and then are put back to “sleep.”
Collection Window
This is the time when the Collect-Only Serverclasses will “wake-up” to update the XMA
database and when the MOVER will be put back to “sleep.” When you create a
MOVER designated as Collect-Only, you will be asked to specify a “collection window”
during installation. To change the Collection Window, use Movers Management Menu,
option 20: Alert-Only/Collect-Only/Regular Movers on page 101.