XYGATE Merged Audit Reference Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series

Table Of Contents

Cover
Copyright
Publication History
Contents
Quick Reference for Common Tasks
Introduction
- XMA Components
- Categorizing the PCI Requirements in XMA
- What’s New in this Release
- General Syntax Notation
- Additional XYPRO Reference Manuals
1. Installing XMA
- 1.1 Before You Begin
- 1.2 Installing XMA Using the Automated Install Script
- 1.3 Installing the SIEM Log Adapter
  - 1.3.1 ArcSight Adapter
  - 1.3.2 Installing the Adapters
- 1.4 Upgrading XMA or XTR Using the AutoInstall Script
  - 1.4.1 Running the AutoInstall Upgrade
- 1.5 Upgrade Considerations
  - 1.5.1 Database Conversion Using CNVRTIP
- 1.6 Uninstalling XMA or XTR Using the Auto Uninstall Script
  - 1.6.1 Preparing for the Auto Uninstall Script
  - 1.6.2 Installing the GUI/PC Products
- 1.7 Managing the XYGATE License
  - 1.7.1 Checking the Status of the Current License
- 1.8 Generate Reports Using XYGATE Report Manager (XRM)
2. Sending Data to Your ArcSight SIEM
- 2.1 What is a Log Adapter
- 2.2 Four Steps to Data Transmission
- 2.3 Step 1. Configure XMA to Collect the Desired Data
  - 2.3.1 Creating the Pathway
  - 2.3.2 Creating MOVERs
- 2.4 Step 2. Determine the Transport Method
  - 2.4.1 Testing Your SIEM connection
- 2.5 Step 3. Apply the Log Adapter to Your FILTERS File
- 2.6 Step 4. Start and Monitor Your MOVERs
- 2.7 Additional References
3. Configuring Filters and the FILTERS File
- 3.1 How to Edit the FILTERS File
- 3.2 Filter Syntax
  - 3.2.1 Logical ANDs and ORs
- 3.3 Building a Filter
- 3.4 Variable Substitution Processing in the FILTERS File
- 3.5 Node-Conditional Processing in the FILTERS File
  - 3.5.1 Node-Conditional Operators
- 3.6 Determine the TCP/IP Process for Email, IPALERT, SNMP Alerts
  - 3.6.1 Step 1. Submit a WHO command
  - 3.6.2 Step 2. Submit an INFO PROCESS
- 3.7 Sending XMA Data to an Audit Logging Appliance
4. Generating Reports Using XRM
- 4.1 Generating Audit Reports Using XMA_REPORT
- 4.2 Select the Audit Subvolume
- 4.3 Select by Date and/or Time Range
- 4.4 Select by Subject Userid
- 4.5 Select by Subject Login Name(s)
- 4.6 Select by System
- 4.7 Select by Subject Terminal
- 4.8 Select Subject by Object Type
- 4.9 Select by Object Name
- 4.10 Select by Operation
- 4.11 Select By Outcome
- 4.12 Select the Output File’s Location
- 4.13 Select the Report’s Sort Order
- 4.14 Select by Rule Name
- 4.15 Select by XYGATE Product Code
- 4.16 Select by ALERTED Column
- 4.17 Select by Text in the Result Column
- 4.18 Select by Message Code
- 4.19 Select by Message ID
- 4.20 Run the Report
- 4.21 Running Reports from Archived Tables
5. Using XMA_MANAGER
- 5.1 Introduction
- 5.2 The XYGATEMA Management Main Menu
- 5.3 The Pathway Management Menu
- 5.4 The Movers Management Menu
- 5.5 The Database Management Menu
- 5.6 The Uninstall Menu
- 5.7 XMA_MANAGER Navigation Hints
- 5.8 Running XMA_MANAGER as the XMA Owner
6. Configuring MOVERs
- 6.1 MOVER Types
- 6.2 Decisions to Make Before Adding Your MOVERs
  - 6.2.1 MOVER Serverclass Naming Conventions
  - 6.2.2 XMA_MANAGER Navigation Hints
- 6.3 How to Add MOVERs
  - 6.3.1 Auto Configure your MOVERs Using Discovery
  - 6.3.2 Creating Remote Catalogs
- 6.4 Built-in Serverclasses
- 6.5 BASE24 MOVERs
  - 6.5.1 BASE24 EMS Templates
- 6.6 HLR MOVERs
  - 6.6.1 Important Notices!
- 6.7 iTP Secure WebServer MOVERs
- 6.8 BASE24-eps MOVERs
- 6.9 MOVER Parameters
  - 6.9.1 MEASURE-Related Parameters
  - 6.9.2 TMF Related Parameters
- 6.10 Time Ranges
- 6.11 Troubleshooting MOVER Problems
7. Safeguard Selection Criteria
- 7.1 Safeguard OBJECTTYPEs
- 7.2 Safeguard OPERATIONs
- 7.3 Safeguard Message Codes
- 7.4 Safeguard MessageIDs
- 7.5 Safeguard EMS Error Messages
8. Maintaining the XMA Database
- 8.1 Remove Obsolete Records
- 8.2 Routine Database Maintenance
  - 8.2.1 Perform FUP Reloads
  - 8.2.2 Update Statistics
- 8.3 Resizing the Data Tables
  - 8.3.1 Default Table Sizes
  - 8.3.2 Sizing Methods
- 8.4 Partitioning the XMA Database
9. Troubleshooting
- 9.1 XMAHELP/XMA_HELP
- 9.2 Communication with an Audit Logging Appliance System
- 9.3 Audit Log Warehouse Data Parsing
A: The MACONF File
- A1: The MACONF File Keywords
- A2: Sample MACONF File
- A3: COLLECTOR
- A4: COMPANY_NAME
- A5: HOMETERM
- A6: MACRO_NAME
- A7: PATHMON_NAME
- A8: PERUSE_OBJECT
- A9: PRIORITY
B: Administrative Tables
- B1: XYGATE MOVER Configuration Tables
- B2: XYGATE MOVER State Tables
- B3: EMS MOVER Table =XMA__EMSMVTBL
- B4: EMS MOVER Parameters Table =XMA_EMSMVPARAMSTBL
- B5: EMS MOVER State Table =XMA_EMSMVSTATETBL
- B6: MEASURE MOVER Tables
- B7: SAFEGUARD MOVER Table =XMA_SFGMVTBL
- B8: SAFEGUARD Parameter Table =XMA_SFGMVPARAMSTBL
- B9: SAFEGUARD MOVER State Tables
- B10: BASE24 MOVER Table
- B11: BASE24 Parameter Table
- B12: BASE24 State Tables
- B13: TCP/IP Syslog Tables
- B14: HLR MOVER TABLE
- B15: HLR Parameter Table
- B16: HLR State Tables
- B17: iTP Secure WebServer MOVER Table
- B18: iTP Secure WebServer State Table
- B19: ARCHIVE Tables
- B20: PARAMS Table
- B21: SESSIONOIP Table
C: Data Tables
- C1: File Partitioning
- C2: Audit Product Table =XMA_AUDPRODUCTTBL
- C3: Audit Installation Table =XMA_AUDINSTALLTBL
- C4: Audit Session Table =XMA_AUDSESSIONTBL
- C5: Audit Detail Table =XMA_AUDITDETAILTBL
D: Sample Filters
- D1: Filter out $CMON’s “I’m Alive” Messages
- D2: Filter out XPC STATUS Commands
- D3: Filter out Safeguard reading its own user database
- D4: Filter out Safeguard No Record
- D5: Filter out XOS No Record
- D6: Filter out XOS What-if tests
- D7: Alert for SUPER.SUPER’s password change via XPQ
- D8: Alert when someone logs directly on as SUPER.SUPER
- D9: Alert for XAC command containing "–255"
- D10: Selecting security-related BASE24 EMS events
- D11: Selecting CLIM events
E: XMA Host Macros
- E1: ADELMAC
- E2: ARCMAC
- E3: CLEANDB
- E4: EMSBUILD
- E5: PARSAMP
- E6: REMFIN
- E7: UPDSTAT
- E8: XMA_AUDIT_REPORT
- E9: XMA_COMPILE_FILTERS
- E10: XMA_DATETIME_MAKE
- E11: XMA_DBVOLUME
- E12: XMA_EDIT_FILTERS
- E13: XMA_FILTERS_CHECK
- E14: XMA_INSTALL_LICENSE
- E15: XMA_LOAD_DEFINES
- E16: XMA_NETWORK_FILTERS_CHECK
- E17: XMA_NETWORK_LICENSE_INSTALL
- E18: XMA_NETWORK_VERSION
- E19: XMA_PWCOLD
- E20: XMA_PWCOOL
- E21: XMA_PWSTOP
- E22: XMA_PWVOLUME
- E23: XMA_SQLCOMPALL
- E24: XMA_SYNTAX_CHECK
- E25: XMA_UPDATE_FILTERS
- E26: XMA_VERSION
- E27: XMA_VOLUME
F: TCLEXC
G: Data Mapping
- G1: General Notes on Data Mapping Columns
- G2: Column Descriptions
- G3: How to Use the Data Mapping Tables
- G4: BASE24 Data Mapping
- G5: BASE24-eps Data Mapping
- G6: HLR Data Mapping
- G7: EMS Data Mapping
- G8: iTP Secure WebServer Mapping
- G9: Measure Data Mapping
- G11: Safeguard Data Mapping
- G12: XYGATE Access Control (XAC) Data Mapping
- G13: XYGATE Supported CMON (XCM) Data Mapping
- G14: XYGATE Host Encryption (XHE) Data Mapping
- G15: XYGATE Key Management (XKM) Data Mapping
- G16: XYGATE Process Control (XPC) Data Mapping
- G17: XYGATE Password Quality (XPQ) Data Mapping
- G18: XYGATE Object Security (XOS) Data Mapping
- G19: XYGATE Safeguard Manager (XSM) Data Mapping
- G20: XYGATE Combined Spoolcom Peruse Data Mapping (XSP)
- G21: XYGATE Transaction Router (XTR) Data Mapping
- G22: XYGATE User Authentication (XUA) Data Mapping
- G23: XYGATE Compliance PRO (XSW) Data Mapping
- G24: Column Usage Table
Glossary
Index

XYGATE Merged Audit

Reference Manual

Chapter 2. Sending Data to Your ArcSight SIEM

XYPRO Technology Corporation 29 Proprietary and Confidential

2.4.1 Testing Your SIEM connection

Use the XMA_MANAGER to test your HP NonStop-to-SIEM connection. (Refer to

chapter Chapter 5, “Using XMA_MANAGER.”)

1. Logon as the XMA owner in order to run XMA_MANAGER.

2. Load the XMA TACL segment, start the XMA_MANAGER and select

option 2: Movers.

3. To use the IPALERT message, select option 16: Test basic Alerts in the Movers

Management Menu. (Refer to section 5.4 starting on page 101.)

4. When prompted for an alert type, select T for TCP/IP Syslog.

Please enter the alert type <(M)ail, (S)NMP Trap, (U)DP Syslog, (T)CP/IP

Syslog, or (C)ollector> ->t

You will see the following prompts:

To modify any of the items below choose an option

otherwise select R to continue :

1: DNS name or IP Address :127.0.0.1

2: Port :514

3: Node :\PROD

4: IP Process :$ZTC0

X: Exit from this menu

R: Run

To clear the value for options that can be cleared, please enter '*'

Selection ?

Select option 1: DNS name or IP Address and enter the IP address of your SIEM

device.

Selection ?1

Please enter the DNS name or IP address you want to send the alert to

<127.0.0.1> ?

Verify that the IP Process name is correct. When you are ready to run the test,

select R: RUN.

Selection ?r

\PROD.$sec.xygatema.ipalert T 2013-10-08 16:05:42 $ZTC0 10.1.1.12:514 <130>

Beginning

Finished

Command completed successfully

Press Return to continue ...

The test message should have been received by the ArcSight appliance. The message

will appear in the same place as the categorized records, but things will not be in the

correct columns. View the records on the ArcSight by selecting the source system.