1.0 CHANGELOG: ------------------------------------------------------------------------ jkb 2008/05/12 Document Created ------------------------------------------------------------------------ 2008/03/05 APAR IZ17037 Cisco IOS messages auto-detected as Cisco PIX: Added more logic and effort to provide accuracy in auto-detect capabilities to provide best effort for identifying a new event source to the closest device related to the context of an event 2008/03/11 APAR IZ17399 Cisco IOS events being dropped: $loghost value needed to be undefined between event parsing 2008/03/14 PMR 00606,634,760 ProFTPD support requested: ProFTPD used and logic for Syslog messages reported by ProFTPD were added to rules 2008/04/02 APAR IZ17634 Symantec Network Security Syslog messages were not being parsed: added logic for Syslog message structure 2008/04/07 PMR 00716,634,760 Hostnames were not extracted from ProFTPD events: Logic to extract source/dest hostnames from ProFTPD events was added 2008/04/08 PMR 00797,634,760 Syslog Conduit sensor times were set to the EAM time: $utimestamp value was often set to local time instead of the time extracted from the event Logic was corrected to ensure appropriate time was used to set $utimestamp variable 2008/04/23 PMR 42944,SGC,724 Starent ST40 support requested: Added device support via Syslog Conduit for Starent ST40 syslog messages 2008/03 Internal: Added Cisco FWSM as a device 2008/03 Internal: ISCdhcpd.pm declared default protocol value of 0 instead of the correct value of -1 2008/03 Internal: Added MAC Address extraction logic to ISCdhcpd.pm 2008/03 Internal: Replaced all instances where $protocol = 0 to $protocol = -1 to prevent wrong protocol being recorded (HOPOPT) 2008/03 Internal: Added optional ability to leverage /etc/hosts to define hostnames to src or dest IPs in all Perl-based rules 2008/03 Internal : Logic improved to parse SSHD_FAILED_ROOT_PASSWORD messages 2008/03 Internal: removed unused scalar settings for class_id as this variable was used in TSOM 3.1 - not TSOM 4.1 2008/03 Internal: ensuring $information is set to original event string 2008/04 Internal: removed old code for $logAllMessages as it is not valid for the TSOM 4.1 product 2008/05 Cisco-based products have the Event Type set to the Cisco- based error reporting: FACILITY-SEVERITY-MNEMONIC ------------------------------------------------------------------------ 2008/05/20 APAR IZ20669 SNMP Rules not setting correct sensor type for TCIM or zAlert. ------------------------------------------------------------------------ 2008/05 APAR IZ21300 Added logic to look for an IP address from a sensor's Identifier List for all UCM/Windows related events 2008/05/21 APAR IZ22710 Sensor type identifier for Cisco IOS was corrected to reflect ROUTER instead of original FIREWALL identifier 2008/06/04 APAR IZ22410 Corrected WebSEAL classification as an event source for parsing 2008/06/04 APAR IZ22216 Added logic to handle AIX-based Syslog messages that were not being properly parsed 2008/05/29 Internal : added logic as to identify Apache messages as a product instead of a Unix-based OS 2008/06/01 Internal : Added Syslog-based support of ModSecurity events 2008/06/06 Internal : array undefined to prevent performance issue with variable clean-up for Perl- based rules 2008/06/06 Internal : added variables to Perl-based rules as to reference other rule files and handlers - providing more flexible links instead of hard-coded links 2008/06/06 Internal : added support for Symantec Mail Security logs via the UCM and UCM Conduit 2008/06/06 Internal : added Syslog-based checks for potential messages from unknown devices to be handled by Miscellany and report closest event type as possible 2008/06/10 Internal : added identifier for ISC products instead of using generic Unix-based sensor identifiers 2008/06/10 Internal : added logic to take rhost values from SSH messages and determine if they are a source IP or source hostname 2008/06/11 Internal : corrected named reference to time function in Auditd.pm 2008/06/11 Adjusted Perl library references as to be aware of different versions of Perl ------------------------------------------------------------------------ 2008/06/23 APAR IZ24062 Added necessary SQL statements to tie Symantec Console to the UCM conduit 2008/06/24 APAR IZ24062 Associated Symantec System Console sensor to UCM and updated support for this sensor 2008/06/20 APAR IZ24431 Adjusted logic to ensure that Sourcefire events leveraged the Sourcefire rule and not SNORT 2008/06/19 Internal : Added 'Solaris 10' to the list of sensor types 2008/06/23 Internal : Added additional parsing logic to extract any username, usercontext, or IP related data from Windows Events gathered via Windows Log Parser/ UCM 2008/06/27 Internal : Added UCM.CFG and UCM Conduit support for Trend Micro Control Manager ------------------------------------------------------------------------ 2008/07/08 APAR IZ24431 Added logic to differentiate the Snort logic from parsing and identifying Sourcefire events as Snort 2008/07/08 APAR IZ22710 Cisco IOS is classified as a ROUTER/SWITCH sensor 2008/07/14 APAR IZ26626 Improved logic to avoid Cisco IOS-based events from being classified auto-detected as a Cisco Secure IDS 3.x sensor 2008/07/14 APAR IZ26877 Corrected event analysis as to avoid Cisco IOS events with an hour:minute:second timestamp from being dropped 2008/07/15 APAR IZ26899 Corrected the logic to prevent Tipping Point event sources from being parsed as Cisco IOS 2008/07/16 APAR IZ27007 Added logic to identify and parse Fortigate events via the Syslog Conduit 2008/07 Internal : Ensured that parsed Snort messages are auto-detected with a hostname of the event source, not the Snort process name and PID 2008/07/08 Internal : Corrected spelling of 'Solaris 10' sensor name 2008/07/08 Internal : Added additional logic to the Sourcefire rule as to support legacy, current, and custom event formats 2008/07/09 Internal : Added initial support for Tumbleweed Email Firewall log tailing via the UCM. The UCM.CFG database tailer added is database tailer #35 2008/07/09 Internal : Added a "Generic Syslog" sensor as to help the auto-detect/auto-config in its best effort approach to default an unkown event source or event source from an unknown OS to be more generic, instead of defaulting to sensor type LINUX ------------------------------------------------------------------------ 2008/08/04 APAR IZ28925 Added logic to strip colons from source hostnames extracted from AIX Syslog messages 2008/08/04 APAR IZ17399 Cisco-based Syslog messages had the %SEC facility in a different position than previously expected and logic was added to ensure these message structures are parsed 2008/08 Internal: Beginning process of adding or updating version numbers device list 2008/08/11 Internal: Added versions to supported sensor names: ProFTPD 1.3.1 Sourcefire 4.7 Sourcefire Defense Center 4.7 ISC DHCPD 3.1.1 ISC BIND 9.3 Cisco FWSM 7.1 ModSecurity Web Firewall 2.5.3 2008/08/11 Internal: Added preliminary support for Microsoft IAG 2007 Syslog messages 2008/08/14 Internal: Added code to handle Sourcefire Defense Center 4.7/ Sourcefire 4.7 messages and updated sensor names to reflect this version ------------------------------------------------------------------------ 2008/08/22 APAR IZ29086 Added check for Syslog-service rules to ensure AIX messages are flagged accordingly and not flagged as Cisco IOS or Generic Syslog 2008/08/28 APAR IZ27007 Previously unrecognized format from Fortigate accommodated for as to be auto-configured accordingly 2008/09/18 APAR IZ28699 Auto-detection and configuration of TAM Auth and Policy fixed 2008/09 APAR IZ31430 Wrong source and destination IP addresses being tied to certain events during event parsing process 2008/09/23 APAR IZ28593 Added support for Starent ST40 restart message: extract port information for destination 2008/09 Internal: Added initial support for SELinux AVC messages via Syslog 2008/08/20 Internal: Added support for specific Cisco ASA/PIX source & destination IP format 2008/08/20 Internal: Added logic to Syslog Conduit function to satisfy a source or destination IP address that is 0.0.0.0 from a sensor's Sensor Identifier list, if an IP address is defined 2008/08/28 Internal: Corrected order of elements for hostname translate in iPlanet parsing logic 2008/09/04 Internal: Added version to Tumbleweed Email Firewall sensor name to reflect version supported 2008/09/09 Internal: Added support of source IP format for Cisco FWSM 2008/09/19 Internal: Added Java-based logic for parsing Sourcefire 3D Sensor data ------------------------------------------------------------------------ 2008/10/09 APAR IZ33876 Checked in correction to SiteProtector.java as to ensure SNMP events from this source are parsed 2008/10/23 APAR IZ34593 Updated Air Defense 7 support for Perl as well as created a Java-based rule to support two known event formats from Air Defense 7 2008/10/30 APAR IZ34593 Corrected Syslog rules to identify and parse Dragon 7 Syslog events 2008/10/30 APAR IZ33876 SiteProtector.java file updated as it had caused problems with SNMP conduit 2008/10/31 APAR IZ317008 Adjusted ns_syslog.rules to determine Intrushield Syslog messages for auto-configuration and parsing 2008/10/21 Internal: Added Java-based rule support for SELinux AVC messages 2008/10/22 Internal: Added Sybari Antigen version 8 Perl-based support 2008/10/24 Internal: Cisco PIX ICMP message support augmented to ensure Protocol is ICMP and source/destination ports are 0 2008/10/27 Internal: Added Sybari Antigen version 9 Perl-based support 2008/10/30 Internal: Added association of Cisco IPS to SDEE Conduit 2008/10/30 Internal: Added initial Perl- based support for Cisco Local Director 4.2.1 syslog messages ------------------------------------------------------------------------ 2008/12/08 APAR IZ39418 Corrected potential for null pointer exception in SELinuxAVC.java 2008/12/03 APAR IZ39417 Added regex to parse BlueCoat events as they were flagged as Generic Syslog. 2008/11/17 Internal: Added checks to ensure logdCodes are not null in the Syslog Conduit 2008/11/17 Internal: Added sensor time extraction from OID->value pair of ISS Site Protector where a trap may contain this info. 2008/11/18 Internal: Added support for RFC via the Syslog Conduit for both Java and Perl 2008/11/25 Internal: Added support of %PIX identifier in previously unknown formats 2008/12/03 Internal: Added support in CiscoPix.java to recognize and extract time formats from within messages, specifically the format of MMM DD YYYY HH:MM:SS or Dec 03 2008 06:00:00 as an example. 2008/12/04 Internal: Associated sensor Trend Micro ScanMail to the CONTENT FILTER class. 2008/12/04 Internal: Removed Windows Event Log UCM rules as they are no longer used 2008/12/04 Internal: Removed custom parse logic for SourceFire (Perl) 2008/12/16 Internal: Added WebSphere 7 Activity Log support via the UCM 2008/12/18 Internal: Added DB2 Audit Log support via UCM 2008/12/18 Internal: Removed Firewall-1 Log Grabber code from Perl rule base ------------------------------------------------------------------------ 2009/01/07 Internal: Augmented DB2 Audit support to handle the db2audit delimited format (single line events) 2009/01/26 Internal: Added extra check for Netscreen messages 2009/01/30 Internal: Fixed checkKey method in SELinuxAVC.java parser 2009/02/20 APAR IZ43341 Updated device rules to support standard IIS Log File. Added also the flexibility to configure the event source in line with IIS log configuration in case custom logging setup is used. 2009/02/20 APAR IZ44116 Extended support for CiscoIOS12.X to recognize source and destination IP from logs in format X.X.X.X -> Y.Y.Y.Y 2009/03/06 APAR IZ42756, IZ45438 Rewritten WindowsLogParser.java 2009/03/11 APAR IZ45452 Extended support for Bluecoat Proxy SG to recognize ELFF log format 2009/03/17 Internal: Added Oracle 10g support via UCM conduit 2009/03/17 Internal: Added Sophos Enterprise Console 3 support via SNMP conduit 2009/03/26 APAR IZ48165 Corrected parsing of Adiscon events to properly handle usernames with '@' and '$' signs. 2009/03/27 APAR IZ45733 Corrected detection and parsing of Snort events: events parsed as unix/generic syslog events, event types and src/ip addresses parsed incorrectly, maint events parsed as unknown. 2009/03/27 Intertal: Corrected potential for null pointer exception in RFC.java 2009/04/02 APAR IZ46175 Updated parsing of Cisco ASA log to extract correctly source/destination IPs/ports username and usercontext. 2009/04/02 APAR IZ43754 Improved detection and parsing of AIX syslog messages that were sometimes detected as Generic Syslog events. ------------------------------------------------------------------------ 2009/05/11 APAR IZ47046 Improvement in parsing SSHd logs containing quotes around source IP address. 2009/05/15 APAR IZ51063 Fixed detection of Netscreen firewall events (that sometimes were detected as Generic Syslog). Improved parsing of src/dst IP addresses. Improved severity classification for better threat calculation. Changed the event type naming scheme. From now on all Netscreen events shall have upper case original Netscreen log names e.g. SYSTEM-WARNING-00520. However the most interesting events (most of the emergency/alert/critical and few error/warning/info events) shall have additional short textual descriptive name appended to the end. For example: SYSTEM-ALERT-00011-ICMP-FLOOD. 2009/05/15 APAR IZ47665 Added support for Juniper JUNOS Router messages. 2009/05/20 APAR IZ47059 Fixed detection of Dragon IDS 7.x events. 2009/05/25 APAR IZ51658 Improvement in detecting Linux services: snmpd, iptables, sshd, httpd, pdns, checklogin. ------------------------------------------------------------------------ 2009/06/06 New device support. Added support for McAfee EPO via SNMP. 2009/06/16 New device support. Added support for Cisco ASA IPS via syslog conduit. 2009/06/16 New device support. Added support for Arbor PeakFlow X 4 via SNMP. 2009/06/22 New device support. Added support for Cisco Secure IDS 4.x via SNMP. 2009/06/22 Internal: Improvement in parsing Fortinet FortiGate. Modified Intrushield rule to detect Fortinet FortiGate logs. 2009/06/22 APAR IZ54255 Improvement in parsing Cisco IOS syslog events. Fixed detection username and parsing IP address. ------------------------------------------------------------------------ 2009/07/20 Internal: Improvement in parsing CheckPoint events via opsec conduit. 2009/07/27 APAR IZ54879 Changing CiscoASA sensor class from OS to Firewall. 2009/07/28 APAR IZ55996 Parsing IP address from CISCO IOS 12X TCP-6-BADAUTH events. 2009/09/01 Internal: Improvement in parsing Arbor Peak Flow SNMP events. 2009/09/02 Internal: Temporarily disabled support for Cisco Secure IDS 4.x via SNMP due to unwanted side effects. 2009/09/09 APAR IZ59902 UCM Windows LogParser: Fixed parsing of messages from Microsoft Exchange Server 2003 - a problem with missing some parts of data in the information field because of improper handling of events with '=' character in message text. ------------------------------------------------------------------------ 2009/09/29 APAR IZ63356 Cisco PIX syslog parsing updated: source/destination addresses/ports, user names. 2009/10/12 APAR IZ60799 Fix for parsing event type, username and destination ip. 2009/10/23 APAR IZ63560 Fix for not detected Cisco ACS device. 2009/10/23 Internal Updated UCM ISS Site Protector support. Updated database tailer in ucm.cfg with new SQL query. 2009/10/23 Internal Added support for AIX 5.x-6.1 audit trail (UCM). Added file tailer in ucm.cfg. 2009/10/27 APAR IZ63762 No LDAP connection ID from iPlanet event presented in Event Console: Added presenting connection ID in 'User Context' field as well as attached it to text in 'Information' field of event. ----------------------------------------------------------------------- 2009/11/18 APAR IZ65378 Fix for Cisco ASA parsing problems. 2009/11/18 APAR IZ65453 Fix for Cisco Pix parsing problems. 2009/11/18 APAR IZ65441 Fix for WebSEAL parsing problems. 2009/11/24 APAR IZ64704 Fix for not detected RSA/ACE Management Server device. 2009/11/24 Internal ISS Site Protector event classification improvement. ------------------------------------------------------------------------ 2009/12/15 APAR IZ65973 Distinguishing between Arbor Peakflow X and Arbor Peakflow SP events introduced, java rule only. ------------------------------------------------------------------------ 2010/01/06 APAR IZ67330 Fix for "UNASSIGNED_TRAP" in Event Type for McAfee EPO 4.x, java rule only, perl rule was removed. 2010/01/06 APAR IZ67484 Added parsing of SourceIP and SourcePort in Windows Event Log via SNMP events. 2010/01/20 APAR IZ68797 Added configurable parser for Bluecoat via UCM. The order of the fields read from the bluecoat log can now be configured. ------------------------------------------------------------------------ 2010/02/11 APAR IZ69816 Fix for SSHD parsing problems and AIX detection. 2010/02/22 APAR IZ70766 Added configurable parser for SAP Audit Log via UCM. The order of the fields read from the SAP Audit Log can now be configured. 2010/02/23 APAR IZ70880 Fixed parsing of an event type field in Securify via SNMP traps. ------------------------------------------------------------------------ 2010/03/05 APAR IZ72299 Changes in TippingPointIPS recognition and Sensor Time parsing. 2010/03/24 APAR IZ70766 Added new configurable SAP Audit Log parser. 2010/03/24 Internal WI XX00447 Improvements in Windows Event Log parsing on Windows systems using WEvtUtil. 2010/03/24 MR042009708 IBM DataPower parser added. 2010/03/24 Internal Added configuration file that allows specification of java rules detection/execution order, easy enabling/disabling of rules and passing initialization parameters (optional). For that initialization starting from TSOM 4.1.1 FP010 ARulesFile API has been extended by adding public void init(String parameterStr) method which is called right after rule instantiation (e.g. every time when conduit is restarted/reinitialized). On EAM startup rules and rules/system directories are searched for rules.conf file. If no such file is found then all *.java files existing in directory are used (backward compatibility). TSOM 4.1.1 FP010 is required for that config file support. For more details see rules.conf files in proper conduit directories. 2010/03/24 Internal Added UCM tailer and device rules for generic EIF support. 2010/03/24 Internal Added experimental support for following devices: Packeteer PacketShaper 7.4.0 - SNMP Riverbed Steelhead 4.1 - SNMP Riverbed CMC 2.1.1, 3.0, 4.0 - SNMP Riverbed Interceptor 1.0, 1.1 - SNMP APC PowerNet 3.6.9 - SNMP McAfee Intrushield 4.1/5.1 - SNMP Cisco Content Switching Module 12.x - SNMP Cisco FWSM 7.1 - SNMP RSA SecurID Appliance - SNMP Nokia IPSO Firewall - SNMP WebLogic Server 8.1-10.0 - UCM RSA SecurID Manager 6.1 - UCM Cisco Catalyst 3750 - SNMP 3Com SuperStack 3226/3250/3812/3824 - SNMP 3Com Switch 7700 & 8800 - SNMP Juniper IVE OS Device - SNMP Note: those parsers are experimental and because of that are disabled by default. See appropriate conduits rules.conf files for instructions how to enable them. ------------------------------------------------------------------------ 2010/03/30 APAR IZ73693 Windows EventLog (LogParser) user name and user context parsing update. 2010/03/30 Internal AirDefence7 java parser autodetection update. 2010/04/08 APAR IZ72299 Tipping Point IPS time parsing update. 2010/04/23 APAR IZ75048 Fortinet events parsing update. 2010/04/27 APAR IZ75170 Fixed parsing for SiteProtector Family via SNMP. ------------------------------------------------------------------------ 2010/05/05 Internal Fixed parsing of 3C0002 Bluecoat events. 2010/06/29 MR122208192 / MR1222084742 3Com 7700 / 8800 (Syslog) - experimental support added 2010/06/29 MR0210094447 McAfee Email Appliance 3100 (Syslog) - experimental support added 2010/06/29 MR1021096514 Juniper Secure Access 2000 (Syslog) - experimental support added 2010/06/29 Internal Nokia IPSO Firewall (Syslog) - experimental support added ------------------------------------------------------------------------ 2010/08 APAR IZ83035 When parsing SSHd messages, the source IP was set to 0.0.0.0 if the IPv4 address is encapsulated in the IPv6 format 2010/08 MR0716104947 Extreme Networks Switches 7.X (SNMP) - experimental support added ------------------------------------------------------------------------ 2010/09 APAR IZ83505 CheckPoint control events (ACTION=CTL) are not parsed properly 2010/09 APAR IZ85105 WEvtutilParser sensorTime parsing problem 2010/09 Internal IBM Guardium 7.0 (Syslog) - experimental support added Tipping Point SMS (Syslog) - experimental support added Cisco IOS 12x (Windows only Syslog Java parser) - experimental support added ------------------------------------------------------------------------ 2010/10 APAR IZ85911 Windows Snare events being parsed as AIX events 2010/10 Internal Problems when parsing McAfee Email Appliance 3100 events ------------------------------------------------------------------------ 2010/12 APAR IZ81397 Parsing issue in UCM with aix audit events 2010/12 APAR IZ88212 Tipping point events may create multiple event types 2010/12 MR1129104020 Extend support for Cisco ACS ------------------------------------------------------------------------ 2011/01 APAR IZ91367 Parsing issue for Airmagnet SNMP events ------------------------------------------------------------------------ 2011/03 APAR IZ92577 Parsing issues for SNORT syslog events 2011/03 APAR IZ94527 Cisco Catalyst SNMP parsing issue 2011/03 Internal Information field content sorting for SiteProtector and MacAfee SNMP parsers. ------------------------------------------------------------------------ 2011/05 APAR IZ99024 UCM does not parse correctly positional Cisco ACS logs 2011/05 MR0511112734 New Syslog Windows Snare Java-based parser 2011/05 Internal Enhance parsing for Windows 2008 event log ------------------------------------------------------------------------ 2.0 DOCUMENTATION UPDATE: 1.0 UCM and support for Oracle 10g logs. PLEASE NOTE: If you are going to use the UCM to get Oracle data for non-system auditing, then you do not have to read this README. The UCM supports talking to Oracle 10g to gather audit logs. Your DBA will need to set up audit logging to the database. The database and table name is typically sys.aud$. Because of how the UCM has to track and manage where it is in the table, we must create a view against this table. The following syntax will create the proper view: create or replace view ns_aud as select to_char(sa.sessionid)||to_char(sa.entryid) as pk, sa.sessionid, sa.entryid, sa.statement, sa.timestamp#, sa.userid, sa.userhost, sa.terminal, audit_act.name as action_name, sa.returncode, sa.obj$creator, sa.obj$name, sa.auth$privileges, sa.auth$grantee, sa.new$owner, sa.new$name, sa.ses$actions, sa.ses$tid, sa.logoff$lread, sa.logoff$pread, sa.logoff$lwrite, sa.logoff$dead, sa.logoff$time, sa.comment$text, sa.clientid, sa.spare1, sa.spare2, sa.obj$label, sa.ses$label, spm.name as privilege_name, sa.sessioncpu, sa.ntimestamp#, sa.proxy$sid, sa.user$guid, sa.instance#, sa.process#, sa.xid, sa.auditid, sa.scn, sa.dbid, to_char(sa.sqlbind) as sqlbind, to_char(sa.sqltext) as sqltext from sys.aud$ sa, audit_actions audit_act, system_privilege_map spm where audit_act.action=sa.action# and spm.privilege=-sa.priv$used; Note: Oracle 10g JDBC library (ojdbc14.jar) originally located in ORA_HOME/product/10.1.0/db_1/jdbc/lib/ should be available in classpath variable for Java used by UCM. 2.0 UCM and support for IBM AIX 5.x-6.1 audit logs. ================================================================================= To enable support of IBM AIX 5.x-6.1 in TSOM 4.1.1, the following configuration steps should be performed on the AIX system ================================================================================= A1) activate the audit subsystem (if still not activated) by executing the following command: "audit start" A2) check the status of auditing by executing the following command: "audit query" A3) execute the following command "/usr/sbin/auditstream | auditpr -t2 -v -hthelRcrpPT > /audit/stream.out &" to enable streaming of the audit event to the file You may check the streamed contents of the audit log: "auditpr -t2 -v -hthelRcrpPT < /audit/trail | more" NOTE: ===== Remember that the /audit/stream.out file is rewritten each time the auditing subsystem is started. Peform data collect from the old stream.out before starting auditing. You may need to restart command from A3 after audit is being restared. HINT: ===== To limit the amount of data collected during the auditing operation, use the -c option on the auditstream command to select a specific class of events as defined in the config file, or use the auditselect command to select specific events: example1: This command will collect only FILE_Open event records "/usr/sbin/auditstream | /usr/sbin/auditselect -e "event == FILE_Open" | auditpr -t2 -v -hthelRcrpPT > /audit/stream.out &" example2: The following command will limit data collection to only the TCP/IP class of events as defined in the config file "/usr/sbin/auditstream -c tcpip | auditpr -t2 -v -hthelRcrpPT > /audit/stream.out &" MORE: ===== For additional details regarding AIX auditing see: http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.cmds/doc/aixcmds1/auditstream.htm ================================================================================= To enable support of IBM AIX 5.x-6.1 in TSOM 4.1.1, the following configuration steps should be performed on UCM configuration file ================================================================================= B1) setup the general options in according to your TSOM configuration B2) uncomment the configuration options for file tailer "IBM AIX 5.x-6.1 audit logs" B3) change the default IBM AIX 5.x-6.1 file tailer options if you need B4) set the "chunks_per_record" option to the correct value. This value is the number of lines (including empty lines) allocated for the single audit event while running command from point A3. This value is depent on current audit setting. =============== EXAMPLE 1 (AIX 5.3, chunks_per_record = 4) ====================== time host event login status command real process parent thread ------------------------ ---------------- --------------- -------- ----------- ------------------------------- -------- -------- -------- -------- Mon Oct 19 09:46:25 2009 NONE FS_Chdir root OK sshd root 499730 233550 1343677 change current directory to: / =============== EXAMPLE 1 (AIX 5.3, chunks_per_record = 4) ====================== =============== EXAMPLE 2 (AIX 6.1, chunks_per_record = 7) ====================== time host event login status command real process parent thread ------------------------ ---------------- --------------- -------- ----------- ------------------------------- -------- -------- -------- -------- Thu Oct 15 14:49:12 2009 0003F0AAD3000000 S_PASSWD_READ root OK db2fm root 397390 315608 1839303 audit object read event detected /etc/security/passwd MLS Data: Not supported =============== EXAMPLE 2 (AIX 6.1, chunks_per_record = 7) ====================== 3.0 ADVISORY: If any custom device rules have been written, always back them up. The dev_support.sh or devicerules_install.sh|bat scripts will not overwrite them, but in the event of a rollback (dev_support.sh -r), these files may be removed. Additionally, for any new device rules that are written, it is advised that a sensor_type_id value (for the CMS sensor_type table) of 10000 or greater is utilized. This will prevent any issues - at the CMS' database level - when applying an IBM TSOM Device Package. Our supported devices have associated a sensor_type_id that is less than this integer, which from the database perspective, is used as a key for associative purposes. An example is as follows: insert into sensor_type (sensor_type_id, name, sensor_class_id_fk) values (6,'Cisco IOS 12.x',12); If a custom rule is written and supporting SQL is used to populate the CMS' database for sensor_type_id of 355, there is a potential for a foreign key constraint error if an IBM TSOM Device Package is applied. Our development may produce a package with support for a device and its sensor_type_id could be 355. 4.0 UCM and support for Bluecoat via UCM logs. From 20/01/2010 there is a new directory tailer for Bluecoat via UCM available. It's called bluecoatex and the main difference between the old and the new one is that now the order of the fields read from the bluecoat log can be configured. To do so simply open the ucm.cfg file on the UCM and find the directory tailer for bluecoat called bluecoatex (by default it is directory tailer no. 240). It should look like this: # # dir tailer 240 for Bluecoat (configurable parameters order for ELFF format) # #ucm.tailer.directory.dirname.240 = /home/ns/myucm/bluecoat #ucm.tailer.directory.buffer.size.240 = 1024 #ucm.tailer.directory.sensortype.240 = bluecoatex(localtime time-taken c-ip sc-status s-action sc-bytes cs-bytes cs-method cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-username cs-auth-group s-hierarchy s-supplier-name rs(Content-Type) cs(Referer) cs(User-Agent) sc-filter-result cs-categories x-virus-id s-ip) #ucm.tailer.directory.saves.file.name.240 = bluecoat-directory #ucm.tailer.directory.start_at_end.240 = false #ucm.tailer.directory.hostname.240 = 10.0.3.165 Configure all the options as for the old bluecoat tailer and then edit the order of the fields passed through sensortype. It should always be bluecoatex(). The can be found at the beginning of the bluecoat log as a comment. It can be just copied and pasted into the sensortype. 5.0 New config file for device rules. Added configuration file that allows specification of java rules detection/execution order, easy enabling/disabling of rules and passing initialization parameters (optional). For that initialization starting from TSOM 4.1.1 FP010 ARulesFile API has been extended by adding public void init(String parameterStr) method which is called right after rule instantiation (e.g. every time when conduit is restarted/reinitialized). On EAM startup rules and rules/system directories are searched for rules.conf file. If no such file is found then all *.java files existing in directory are used (backward compatibility). TSOM 4.1.1 FP010 is required for that config file support. For more details see rules.conf files in proper conduit directories.